We hear a lot about critical infrastructure and how important it is to secure it. But few categories of infrastructure are more critical to human existence than water and wastewater processing and transport systems. Next to the air we breathe, water is the most important component of our very survival. Water systems are essential to supplying safe and clean potable water to homes and businesses. A vital component of the water lifecycle is ensuring that wastewater is captured, properly treated, and then disposed of or reused. In addition to nature not delivering enough, there is another threat facing water supplies. All manner of critical infrastructure is under constant attack by cyber criminals and state-sponsored attackers, and the impact of cyber attacks on water infrastructure is particularly concerning.
Cybercriminals are often out to disrupt systems for a variety of political or personal reasons. Sometimes they want credit for having exposed a vulnerability or to call out a perceived injustice. Some want to sell data stolen from a victim. Others extort money from operators by threatening the release of stolen data or by encrypting systems and demanding a ransom for the encryption keys. Or governments want to explore the weaknesses of their enemies, plant malware for future use, and learn how their adversaries build and support their infrastructure so they can later copy or disrupt those systems. While the motivations are different, putting reliability, public health, the environment, and customer privacy at risk are all predictable results. That is why infrastructure cybersecurity—particularly for water and wastewater systems—is essential for protecting public health and maintaining the quality of life that modern societies have come to expect.
So What Impact Do Cyber Attacks Have on Water Infrastructure Systems?
A successful attack can cause disruptions in the management systems that allow for billing and accounting of water purchased from suppliers and delivered to customers. It can damage or disrupt the operational technology that manages water delivery. Water is most often treated with a variety of chemicals, that in the right combinations and quantities, make the water safe to drink. The chemicals are designed to treat the dangerous waterborne bacteria that would otherwise find their way into a home or business. In the wrong mixture or ratios, these chemicals can be extremely dangerous, and even deadly. Without them, deadly bacteria could be left in the water delivered to our homes and businesses. A successful attack could also lead to wastewater being released into the drinking water system without being properly treated. It can cause untreated water to be flushed into streets or other facilities where it is not meant to be. This can have significant negative public health and commercial implications.
Water and wastewater management organizations often serve a large number of customers. These customers provide personal information when they register or when using a variety of payment methods. The water management organizations, then collect and store that data. They also possess large amounts of data about water quality, treatment processes, and operational systems. If this data were to be stolen or otherwise accessed, it could be used for additional access or to attack the systems from within.
There are reasonable actions that organizations and communities must take to defend against and ensure resilience from cyber-attacks. Even with the best defense and recovery plans and procedures, cyber interruption and cyber liability insurance are a must!