Since the turn of the 21^st century, cyberspace has become so ingrained in our global culture that nearly every home and business is connected in some way. While technological progressions have allowed for a profound level of growth and development in this regard over the last several decades, the growing correlation between technology and everyday life has also potentially opened the door for new cyber-risks to emerge from a variety of avenues around the world. With global tensions running high given multiple extraneous military conflicts ongoing overseas, the United States Department of Homeland Security claims that all the warning signs for a potential “cyber 9/11” attack are here, and developments arising over the last week have pointed to the fact that certain areas of our daily lifestyle not necessarily tied to cyber-crime may be at more of an immediate risk than previously thought.

The DHS has called critical infrastructure the “backbone of our national and economic security”, with the various services provided crucial to the health and well-being of all Americans. Critical infrastructure is defined as the various assets, systems, and networks that provide functions necessary for our way of life. All told, this definition has come to include a total of 16 individual sectors each playing significant roles in the daily life of the average citizen. Notable sectors covered under this umbrella term include chemical, commercial facilities, communications, energy, water and wastewater, food and agriculture, financial services, information technology and nuclear reactors, and materials and waste, amongst others. Altogether the damages from global cyber-criminal activity currently exceed $7 trillion per year and rising, and given that each of these realms exists in an interconnected ecosystem, any threat to one individual sector could have even more debilitating effects on national security, economic, and public health and safety.

The Environmental Protection Agency (EPA) released some disturbing news this past week as it pertains to a major aspect of U.S. critical infrastructure, reporting that immediate action needs to be taken to remedy deficiencies in security standards related directly to the U.S. water supply. The agency has highlighted the fact that cyberattacks against water utilities across the United States are not only growing more prevalent, but also more severe over recent years. The EPA identified several notable cybersecurity vulnerabilities in drinking water systems across the country, with federal investigators finding that approximately 70% of water systems surveyed since September have failed to meet the acceptable standards for preventing breaches or other intrusions.  

“Protecting our nation’s drinking water is a cornerstone of EPA’s mission, and we are committed to using every tool, including our enforcement authorities, to ensure that our nation’s drinking water is protected from cyberattacks,”¹ said EPA Deputy Administrator Janet McCabe. “EPA’s new enforcement alert is the latest step that the Biden-Harris Administration is taking to ensure communities understand the urgency and severity of cyberattacks and water systems are ready to address these serious threats to our nation’s public health.”¹

Sadly, some failures identified by investigators were as basic as password protection. Many facilities were found to be using their default system passwords without ever changing them, completely oblivious to how easy it would be for a hacker to capitalize on their ignorance. Just like the financial sector, these facilities are expected to maintain a risk-based strategy with regular cybersecurity assessments to prevent criminals from entering their system. Unfortunately, water systems located outside of major metropolitan areas generally do not boast the same level of funding from their local governments to maintain as robust of standards with respect to cybersecurity and are often the most vulnerable to illicit exploits. Couple this with the fact that the guard is generally down for employees at these smaller locations given that most would never expect to be a target of activities of this variety and cyber-criminals are effectively provided the perfect storm for exploiting these specific entities. Much like bad actors targeting financial institutions, targeting multiple low-risk entities is much more appealing – and often far more successful – than choosing to take on the risk of detection that comes with challenging a major facility.

The cybersecurity threat to the water supply is not simply a prediction or a possible risk at this point – it’s already here. Multiple incidents have occurred in the past few years alone where hackers, including sanctioned entities in Iran, and those linked to Russian and Chinese operatives, have been able to breach critical infrastructure systems. Just this January, there was a notable case where Russia-linked hackers breached several rural U.S. water systems including one in Texas that caused a tank in this respective facility to overflow. This case was the latest in a string of actions taken by foreign operatives using their ill-gotten access to sensitive industrial equipment to disrupt regular operations at American water facilities, and was one of the first cases that saw the general public appeal to the U.S. government to improve their cyber defenses in this regard. Reports have indicated that U.S. officials have been concerned over these emerging risks facing the 150,000+ public water systems, and have held internal discussions to address the ongoing struggle to find the cash and personnel to deal with persistent hacking threats from criminal and state actors. Yet to date, little tangible action has been taken to address these issues.²

Bringing greater public attention to this growing problem is undoubtedly a step in the right direction when it comes to vigilance in this regard, though clearly there are significant issues to mend on behalf of national, state and local government agencies to prevent major disruptions affecting not only U.S. water systems, but all other aspects of domestic infrastructure. In their recent report, the EPA listed the following ways to reduce the risk of cyber-attacks. These points could also apply just as well to the financial industry:

• Reduce exposure to public-facing internet.
• Conduct regular cybersecurity assessments.
• Change default passwords immediately.
• Conduct an inventory of OT/IT assets.
• Develop and exercise cybersecurity incident response and recovery plans.
• Backup OT/IT systems.
• Reduce exposure to vulnerabilities.
• Conduct cybersecurity awareness training¹

Citations

1. “EPA Outlines Enforcement Measures to Help Prevent Cybersecurity Attacks and Protect the Nation’s Drinking Water.” EPA, Environmental Protection Agency, 20 May 2024.
2. Lyngaas, Sean. “Russia-Linked Hacking Group Suspected of Carrying out Cyberattack on Texas Water Facility, Cybersecurity Firm Says | CNN Politics.” CNN, Cable News Network, 17 Apr. 2024. 
3. Phillis, Michael. “US Says Cyberattacks against Water Supplies Are Rising, and Utilities Need to Do More to Stop Them.” ABC News, ABC News Network, 20 May 2024.