Security Experts:

Water Sector Security Report Released Just as Another Water Plant Hack Comes to Light

Cybersecurity report released for the U.S. water sector

The Water Sector Coordinating Council last week announced a new cybersecurity report focusing on water and wastewater utilities in the United States. The release of the report coincided with news that a threat actor in January attempted to poison the water at a facility in the U.S.

The Water Sector Coordinating Council describes itself as “a policy, strategy and coordination mechanism for the Water and Wastewater Sector in interactions with the government and other sectors on critical infrastructure security and resilience issues.”

The organization in April surveyed 606 individuals working at water and wastewater utilities in the U.S. to get a better understanding of the sector in terms of cybersecurity.

According to the report made public on June 17, 356 of respondents said they did not experience any IT security incident in the past year. Three respondents said they experienced 5 or more incidents and 83 reported 1-4 incidents in the last 12 months.

When it comes to cyber incidents involving operational technology (OT) systems, 410 respondents reported no incidents, 25 said they experienced 1-4 incidents, and one organization admitted suffering 5 or more incidents.

The same day the report was published, NBC News revealed that a hacker attempted to poison an unnamed water treatment plant that serves parts of the San Francisco Bay Area on January 15.

NBC obtained the information from a private report created by the Northern California Regional Intelligence Center in February. According to that report, the hacker used a former employee’s TeamViewer account to gain access to systems at the water facility and started deleting programs used for treating drinking water.

In February, law enforcement revealed that hackers had remotely accessed systems at the water plant in Oldsmar, a small city in Florida, and attempted to elevate levels of a certain chemical, putting the public at risk of being poisoned.

Then, in March, the U.S. Justice Department announced charges against a former Kansas utility worker accused of remotely tampering with a public water system’s cleaning procedures.

The 22-page report released last week by the Water Sector Coordinating Council contains some interesting information on the cybersecurity needs and challenges of this sector in the United States.

“Like all sectors, water and wastewater systems are targets, directly or indirectly, of cyber attackers, but complicating any set of solutions is the demographics of the sector. There are approximately 52,000 community water systems and approximately 16,000 wastewater systems in the United States,” the report reads.

“Among these utilities are a wide range of capabilities and capacities for cybersecurity enhancement. Many are subject to economic disadvantages typical of rural and urban communities. Others do not have access to a cybersecurity workforce. Operating in the background is that these utilities are struggling to maintain and replace infrastructure, maintain revenues while addressing issues of affordability, and comply with safe and clean water regulations,” it explains.

Related: Probe Into Florida Water Plant Hack Led to Discovery of Watering Hole Attack

Related: Industry Reactions to U.S. Water Plant Hack: Feedback Friday

Related: Hack Exposes Vulnerability of Cash-Strapped US Water Plants

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.