In 2021, a Florida water plant operator watched as someone online tried to alter the amount of sodium hydroxide in the water via remote access to their TeamViewer software. Because the activity was observed and therefore flagged simultaneously, the water plant avoided a potentially catastrophic public safety issue.1
Two years later, federal investigators concluded the suspicious activity might have been employee error as opposed to a nefarious cyberattack.2 Yet, the incident ignited a national story and gave a real-world example of vulnerabilities in critical infrastructure OT environments, such as water and wastewater treatment facilities, which ended up playing out for real in later cyberattacks.
Unfortunately, these organizations and thousands of others like them are playing catch-up to their IT counterparts in modernizing cybersecurity.
Water Systems in the Crosshairs
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. has approximately 153,000 public drinking water systems and over 16,000 publicly owned wastewater treatment centers. This gives bad actors a wide range of potential targets, as recently publicized attacks demonstrate below:
- November 2023: Hacker group Cyber Av3ngers targeted the Pennsylvania-based Municipal Water Authority of Aliquippa. While the group did not gain access beyond a pump that regulates pressure, the company moved to backup methods while it took some equipment offline as a precaution.3
- January 2024: Water treatment and waste management company Veolia North America disclosed a ransomware attack.4 The company took the "targeted back-end systems and servers offline until they could be restored."
- April 2024: Indiana-based Tipton West Wastewater Treatment Plant became one of the targets of the "People's Cyber Army of Russia," which also took credit for overflowing a water tank in a Texas facility.5
While water systems are under attack, regulators need to make more progress. Each of these attacks occurred after the Environmental Protection Agency (EPA) withdrew efforts to establish cybersecurity guidelines for U.S. water systems6 in its annual Sanitary Survey Programs.
The EPA's initial move, aligned with the Biden administration's 2023 National Cybersecurity Strategy, mirrored the TSA's actions7 after the 2021 Colonial Pipeline hack, highlighting a need for specialized oversight and unified standards in critical infrastructure sectors.
Critics argue for specialized agencies to oversee IT operators, given ongoing challenges with fragmented regulations8 and conflicting information requests from multiple agencies. However, these issues underscore the difficulty of achieving cohesive cybersecurity standards across vital industries with OT.
As regulatory oversight evolves, most CISOs are focused on modernizing and improving OT cybersecurity. Adopting advanced technologies like AI will help organizations move from reactive to proactive security. AI can help improve security and ease compliance requirements by providing:
- Enhanced network visibility to provide a more comprehensive view of network activity across IT and OT networks.
- Advanced threat detection can identify patterns and anomalies faster and more efficiently than traditional methods and help CISOs better understand and forecast potential vulnerabilities as well.
- Automated incident response can quickly isolate threats and initiate recovery. AI-driven forensics also help streamline and speed up incident response and recovery.
Turning to Managed Services
To reduce the potential for downtime, boost defenses against cyberthreats, and keep pace with evolving compliance requirements, CISOs are turning to managed services to gain the specialized OT cybersecurity expertise and continuous monitoring they need to detect and respond to rising threats preemptively.
Managed services can help provide essential resources such as:
- Access to experts: CISOs gain access to specialized cybersecurity expertise and advanced technologies to ramp up cybersecurity protections quickly.
- 24/7 monitoring: Enables continuous monitoring and rapid response to threats, helping to reduce risks and potential downtime.
- Scalable solutions: Scalable and customizable security solutions can be tailored to meet the unique needs of critical infrastructure organizations.
Threats against critical infrastructure have never been more complex. Those who stay ahead of the curve can lower risks, better respond to cyberattacks, and recover from them. Without proactive vigilance, organizations may jeopardize the integrity of their systems and processes and even put the people they serve at risk.
Cyberattack Scenario
What might an attack actually look like? To illustrate the dangers of OT threats, we created a video demonstrating how a water treatment facility can successfully avoid a serious breach.
Watch the video to learn how comprehensive OT cybersecurity solutions and services from Rockwell Automation can help you better protect against threats.
References
- https://www.cybersecuritydive.com/news/water-supply-cyber-attack-florida-ics-security/594764/
- https://cyberscoop.com/water-oldsmar-incident-cyberattack/
- https://beavercountian.com/content/special-coverage/iranian-linked-cyber-army-had-partial-control-of-aliquippa-water-system
- https://mywater.veolia.us/veolia-responds-cyber-incident
- https://www.wired.com/story/cyber-army-of-russia-reborn-sandworm-us-cyberattacks/
- https://www.awwa.org/Portals/0/AWWA/Government/101323Insiders/Action-Memo-Rescinding-Cyber-Memo-October-2023.pdf
- https://www.cybersecuritydive.com/news/pipeline-cyber-security-tsa-requirements/604001/
- https://www.utilitydive.com/news/white-house-harmonize-cybersecurity-regulations/718327/