Cybersecurity toolkit for water utilities to adopt CISA, FBI and EPA guidance

A quick cybersecurity pop quiz. Which of these three events is based on an actual occurrence?

• A malicious cyber actor deploys a SCADA-based ransomware attack against a water and wastewater system.
• A hacker accesses the computer systems for a water treatment facility, modifying the sodium hydroxide (lye) levels from 100 ppm to an extremely poisonous 11,100 ppm.
• A former employee at a water treatment plant remotely accesses a computer and shuts down the cleaning and disinfecting procedures that make water potable.

The correct answer, unfortunately, is “all of the above”. These were all actual events in California, Florida, and Kansas that were thankfully stopped in their tracks by attentive employees. To date, there has been no successful attempt by hackers to poison an American community’s water supply.

However, these types of attacks will inevitably become more sophisticated over time, which has prompted the US government to raise a cybersecurity alarm for the US’s 148,000+ public drinking water systems and 16,000+ publicly owned wastewater treatment systems.

What types of attacks might be directed at water utilities?

The specific details of how hackers might wreak havoc in the water sector vary, but the major threats to water utilities can be grouped into a few basic categories:

• Spearphishing using social engineering to attempt to deploy malware such as ransomware
• Insider threats from current or former employees who maintain improperly active credentials
• Exploitation of unsupported or outdated operating systems and software
• Exploitation of control system devices with vulnerable firmware versions

Utilities can shore up their defenses against cyberattacks in all of these categories with effective internal employee policies and procedures, but the last two on the list can be harder to accomplish if your workforce relies on older or outdated software and devices without access to the latest firmware updates.

What is the current state of the EPA’s guidance and CISA’s recommendations?

Ideally, the EPA wants utilities to assess their own cybersecurity readiness as part of their regular Public Water System (PWS) sanitary surveys. This isn’t a requirement, but it – or something like it – could be in the future.

The EPA issued a memorandum in March 2023 with plans to fold cybersecurity assessments into sanitary surveys, but this was temporarily halted by the 8th Circuit US Court of Appeals in July and then withdrawn in October.

While you might be waiting for the guidance to develop or the guidelines to turn into official regulations, water utilities should not wait to implement cybersecurity improvements. If your utility isn’t performing any regular cybersecurity monitoring or assessments, there is no better time to correct it than ASAP.

In fact, it may be alarming to learn that less than 25% of water and wastewater operators surveyed by the EPA are currently performing these kinds of annual cybersecurity risk assessments. 

Although the EPA’s attempt at encouraging momentum for cybersecurity among utilities failed in 2023, and although the US Congress hasn’t yet proposed specific national legislation, this does not mean the issue will go away.

Indeed, this has ramped up efforts by CISA and other government bodies. Recently, FBI Director Christopher Wray testified before Congress about the dangers of Chinese hackers infiltrating US infrastructure systems. Only a few days later, Iranian officials were targeted by US sanctions for attacks last year. All of this points to an increasing urgency for action around cybersecurity issues in the water sector, which means water utilities can either wait for guidance or take proactive steps to assess their risk and close holes in their systems.

Resources for assessing your level of cybersecurity

If you have IT personnel at your water utility who are tasked with watching for cybersecurity threats, we’ve collected a number of checklists that we encourage you to share with them so they can more easily determine your utility’s cybersecurity readiness:

• New for 2024: CISA, FBI and EPA released an Incident Response Guide for the Water and Wastewater Sector that we encourage you to download and peruse. It covers four stages of response: 1) preparation, 2) detection and analysis, 3) containment, eradication, and recovery and 4) post-incident action.
• The EPA provides an extensive list of resources, including a downloadable water Cybersecurity Assessment Tool and Risk Mitigation Plan Excel Template that you can use to assess your cybersecurity.
• The Cybersecurity and Infrastructure Security Agency (CISA) has a Cyber Security Evaluation Tool (CSET) which you can download and install on a PC to help assess your security posture.
• The American Water Works Association (AWWA) provides Water Sector Cybersecurity Risk Management Guidance, as well as an online Cybersecurity Assessment Tool you can use to assess your readiness and comply with §2013 of America’s Water Infrastructure Act (AWIA) of 2018.

Can the cloud help water utilities with security?

We wanted to talk to an expert with experience for the energy and utility sectors about the EPA’s mandate, so we sat down for a conversation with AWS Principal Security Industry Specialist Maggy Powell. 

Read the Q&A

Consult with an expert

If you don’t have the benefit of IT personnel on staff, you may be able to tap into these expert resources:

• Consult with a CSA: CISA offers a range of cyber and physical services throughout 10 regions. You can contact your regional office and ask about consulting with a Protective Security Advisor (PSA) or Cyber Security Advisor (CSA).
• Ask a circuit rider: USDA Rural Development has contracted with the National Rural Water Association to provide circuit riders in each US state and territory who are experienced in managing issues that arise in the day-to-day operations of rural water systems. Read all about it and submit an application online.
• Guidance for smaller utilities: If your water utility serves less than 10,000 people, the AWWA’s Water Sector Cybersecurity Risk Management Guidance for Small Systems that serve less than 10,000 people can help streamline your self-assessment.
• CISA’s State and Local Cybersecurity Grant Program may provide important resources to offset some of the burden.
• Secure a grant: CISA and FEMA recently announced the availability of $374.9 million in grant funding for the FY 2023 State and Local Cybersecurity Grant Program. The deadline to apply is October 6.
• CISA announced a free program for water utilities. They will scan your publicly available networks and give you advice. The process is easy and you can receive results within 10 days. We’ve included their fact sheet at the bottom of this post, and you can email them to get started.

The security benefits of SaaS

We’re building new and innovative services that don’t require users to update their desktop or device’s software. Indeed, in many respects the Software as a Service (SaaS) model – in which you access all of your data, analytics, hydraulic models, etc., via a secure browser – may help to alleviate some of the cyber risks that utilities currently face.

For example, if you are currently an Autodesk customer with a subscription to one of our Info360 SaaS products (Info360 Asset, Info360 Insight, Info360 Plant) or if you utilize our new cloud simulation services within InfoWorks ICM, InfoWorks WS Pro, or InfoWater Pro, determining your compliance may be a little easier.

In addition to Autodesk certifications and compliance, these services are all powered by AWS, which we chose partly because of the enhanced security these cloud services can provide for water utilities who utilize our software. So you may find that some of the boxes in these checklists can be quickly checked off because you aren’t using installed desktop software AND aren’t sharing sensitive files over internal or “on-premises” systems.

Cybersecurity: perhaps the most important reason to update your software

A 2021 CISA survey found that over 80% of major vulnerabilities that surveyed facilities experienced were software flaws discovered before 2017, suggesting that a significant number of employees were not updating their software. If your utility relies on older desktop software (especially outdated legacy operating systems like Windows 7), you are more at risk for cyber incidents and you should carefully and methodically assess your security level.

Stay safe and secure

Going through these checklists can be an eye-opening experience for the smallest utilities who may not have the benefit of IT personnel to guide purchasing or technical assistance needed to implement cybersecurity best practices. But it is always better to enter the cybersecurity waters with your eyes open.

Learn about Autodesk’s security practices and the steps we take to enhance security of our products on the Autodesk Trust Center.

CISA fact sheet

Editor’s note: This article’s original publication date was August 21, 2023 and is being updated whenever there is new information to share.