Cases of cyber-attacks on water facilities across the globe are starting to rise as hackers seek to control systems of wastewater treatment plants, pumping stations, and sewers.
One of such instances occurred only a few months ago when the Israeli authorities alleged that Iran was conducting a cyber-campaign targeting the country’s water and sewage facilities.
Investigations revealed that a piece of Iranian code passed through servers in the U.S. and Europe to hit Israeli’s water infrastructure. The goal wasn’t to dump anything but to alter the amount of chlorine in the water supply.
A similar incident previously occurred in the United States in 2016 when a group of amateur hackers compromised the systems of an unmanned water treatment facility and altered the levels of chlorine in the water supply meant for distribution for two months. The saving grace was that the utility company could detect the anomaly at a good time and fix it.
These incidents are a sign that we need to take water safety more seriously. However, this topic doesn’t seem to be on many people’s radar screens at the moment, and that also includes regulators and legislators, whose focus is usually on water scarcity and quality due to challenges like pollution and climate change.
Although awareness of cyber-threats is rising among water utilities, many are still not taking precautions to avoid this kind of disaster as reports reveal that an estimated 70,000 water utilities are vulnerable to attacks in the U.S. Their spending is largely focused on embracing digital connectivity to reduce costs, boost efficiencies and improve quality with very little attention paid to security.
While sensors can help monitor systems and ensure water quality, they can also be exploited by hackers for remote access into wells and water main systems because the networks are unprotected. This may invariably lead to loss of control of a system since the intruder can directly monitor it.
The water sector is a critical one for any nation, and the unavailability of proper security measures may expose more than 400 million citizens to grave consequences such as cholera, dysentery, or simply non-potable water supply.
Cybersecurity experts believe two reasons this problem persists are because of the decentralized nature of the U.S. water industry and the fact that the water sector has no regulatory requirements when it comes to cybersecurity like the electric industry. Although the WaterISAC issued some guidelines in that regard, but they are not mandatory, which explains why compliance is low among utilities.
What can be done?
It’s about time attention is paid to the water industry like it has been given to the electric grid. It may not seem like a critical situation right now but keep in mind that what triggers chaos and widespread chaos in many emergency planning exercises isn’t power outage but lack of clean water.
Government agencies working on cybersecurity in the water sector need to do more to ensure that utilities comply with the stipulated standards necessary for the protection of their networks. Also, utilities must strengthen their infrastructure so they can repel malicious attacks whenever they occur. We don’t have to wait for the wastewater systems to be compromised before we spring into action .