Skip to content
Close
Get Started
Get Started
VC3 is the bar

We Make IT Easy

With VC3, it’s never license this, per hour that. Instead, it’s good people. Good people who work tirelessly .

Learn More
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA
Get out of the IT trenches

Municipal Disaster Recovery Checklist

Download the guide for real-life scenarios, containing data backup lessons and a checklist to help ensure you are ready for a disaster. 

Learn More

Municipal League Partnerships

VC3 is the IT partner that focuses on municipalities. We understand your budgeting cycles and critical
concerns.
Our Partners

2024 Managed IT Services Cost & Pricing Guide

You’ve probably heard about how managed IT services saves businesses money and are wondering if that’s possible for your organization too. This guide will help walk you through different pricing strategies and costs you can expect.

Get the Guide
Get Started
water utility workers

Cybersecurity Strategies for Water Systems

7 Cost-Effective Ways to Fight Back and Protect the Public

We often take water for granted, but just take a moment to think about who relies on water systems.

  • Residents expect to turn on a faucet and get clean water for drinking, cooking, and bathing. 
  • Factories, manufacturing plants, and other industrial operations rely on water for production processes, cooling systems, and waste management. 
  • Farms and agricultural businesses use water for irrigation, livestock, and crop processing. 
  • Healthcare facilities need reliable water supplies for patient care, sanitation, and medical procedures. 
  • Schools, colleges, and universities require water for cafeterias, laboratories, and general sanitation. 
  • Government buildings, fire departments, and other municipal services use water for daily operations, emergency services, and public safety. 
  • Parks, swimming pools, sports complexes, and other recreational areas require water for maintenance and public enjoyment. 

Water infrastructure in the United States consists of 153,000 public drinking water systems and 16,000 publicly owned wastewater treatment systems. Ensuring that diverse constituents have reliable access to clean water is critical for public health, economic stability, and overall quality of life.

Yet, like any U.S. critical infrastructure, water systems are the target of nation states.

Such attacks are not uncommon, have been going on for years (see the timeline below), and grow increasingly sophisticated as nation states seek to weaken the U.S. due to geopolitical interests. And municipal water districts have been under special scrutiny because they tend to be the weakest in defending against such attacks.

How serious is this problem? How well are you doing to protect residents? Do you have the right resources to defend against these attacks?

This guide will help you answer these questions and give you a game plan for moving forward. 

What's Inside this Critical Cybersecurity Guide?

  • 1
    Water Systems Timeline of Cybersecurity Attacks, Alerts, and Significant Events
    View
  • 2
    The Current Grade for U.S. Water Systems Cybersecurity? F
    View
  • 3
    Where Water Systems Stand: Assessing the Biggest Cybersecurity Weaknesses
    View
  • 4
    What You Must Do to Protect Your Residents—and Your Country
    View
  • 5
    Stepping Up to Protect Our Critical Infrastructure
    View

Short on Time? Download the PDF ⬇️

Water Systems Timeline of Cybersecurity Attacks, Alerts, and Significant Events 

2018 Alert-1

  • March 2018: The FBI and DHS warn about Russia specifically targeting U.S. water infrastructure. 

2019 Orange Municipality Icon

  • March 2019: At Post Rock Rural Water District in Ellsworth County, Kansas, a former employee used his credentials (which were still active) to access a computer and attempt to tamper with cleaning and disinfecting procedures. 
  • September 2019: The American Water Works Association named cybersecurity threats as the number one threat to water infrastructure. 

2020 Orange Home Screen Icon

  • March 2020: In its 2020 report, the nonpartisan Cyberspace Solarium Commission said, “Gaps in utilities’ network configurations, insecure remote access systems and outdated training regimes are just of few of the vectors through which Americans’ water infrastructure is vulnerable to cyber-enabled exploitations.” 
  • August 2020: At the Camrosa Water District in California, unauthorized users accessed data for almost a year and files were encrypted by cyberattackers. 
  • September 2020: A New Jersey-based WWS facility experienced a ransomware attack. 

2021 Warning Screen Icon

  • January 2021: A former contractor used his TeamViewer credentials (which were still active) to delete software programs related to drinking water treatment in the San Francisco Bay area. 
  • February 2021: At the City of Oldsmar, Florida, a hacker allegedly tried to poison the city’s water supply by increasing the amount of lye to dangerous levels, although later analysis suggested human error as the cause. 
  • Early 2021: Two unidentified Pennsylvania water systems were the victims of hackers enabling remote access and control capabilities. 
  • March 2021: A Nevada-based WWS facility experienced a ransomware attack that impacted its SCADA system and backups. 
  • May 2021: The Belle Vernon Municipal Authority in Pennsylvania experienced a data breach after hackers entered their systems. 
  • July 2021: A Maine-based WWS facility experienced a ransomware attack that impacted its wastewater SCADA computer. 
  • August 2021: A California based WWS facility experienced a ransomware attack. Hackers had deployed the ransomware one month earlier, let it sit undetected, and shut down three SCADA servers when activated. 
  • October 2021: A joint advisory by CISA, the FBI, the EPA, and the NSA highlighted ongoing cyber threats to WWS facilities. 

2023 streamlinehq-desktop-monitor-warning-computers-devices-electronics-40-2

  • March 2023: The EPA added new cybersecurity regulations to the existing America’s Water Infrastructure Act of 2018 (AWIA). 
  • October 2023: A lawsuit brought by the attorneys general of Missouri, Arkansas, and Iowa forced the EPA to rescind these regulations. 
  • November 2023: Pro-Iranian hacktivists accessed a programmable logic controller (which had the default password of “1111”) at the Municipal Water Authority of Aliquippa in Pennsylvania. Until the employees contained the incident, they needed to operate a water pump station manually. 
  • December 2023: CISA put out an advisory warning that Iran-affiliated hackers had breached a handful of water utilities (less than 10) across the United States. 

2023 WebResearch_011123 2

  • January 2024: A resident happened to see a water tower overflowing in Muleshoe, Texas. Russian hackers had gained access to their systems and caused this disruption. At the same time, these hackers also targeted water systems in three other Texas Panhandle towns (Abernathy, Hale Center and Lockney). In one case, employees had not changed a water system password for 10 years. 
  • March 2024: The federal government alerted governors about nation state actors (China and Iran) currently conducting cyberattacks upon water systems across the United States and, in some cases, breaching their information systems while remaining undetected. 
  • May 2024 
    The City of Wichita, Kansas experienced a ransomware attack that temporarily shut down its water bill payment website. 

    The EPA released an enforcement alert announcing increased inspections focused on cybersecurity and increased enforcement under the existing SDWA Section 1431. 

    CISA released an advisory titled “Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity” in response to water systems still leaving operational technology (OT) systems exposed to the internet and using weak or default passwords. 

The Current Grade for U.S. Water Systems Cybersecurity? F

According to the EPA, over 70% of the water systems inspected since September 2023 did not follow basic cybersecurity standards. A VOA article notes that “only about 20% of publicly owned water systems have implemented basic cybersecurity measures, leaving the water sector ‘at risk’ to cyberattacks.”

However, many water systems breathe a sigh of relief…for the wrong reasons. 

  • “Phew! The EPA tried to regulate us, but a lawsuit shut it down.” 
  • “We hear CISA and government advisories all the time. It’s just noise.” 
  • “There are never any penalties if we fail to meet cybersecurity standards.” 

The rationale for some water systems might be that, with no audits or regulations to hold them accountable, they’re off the hook.

But you know deep down this is bad news. Very bad news.

Forget about regulations, fines, and government overreach. Are you going to use perceived technology ignorance, lack of budget, and understaffing as an excuse to just give up and risk the safety of your drinking water for residents? And make it easy for cyberattackers to do it with passwords such as “1111” for your most critical systems?

Let’s take a fresh look at the major problems plaguing water systems and figure out how to strengthen your critical infrastructure.

Where Water Systems Stand: Assessing the Biggest Cybersecurity Weaknesses

Water systems are some of the most important yet least protected critical infrastructure. The EPA specifies the impacts that a cyberattack can have, including:

  •  Upsetting treatment and conveyance processes by opening and closing valves, overriding alarms, or disabling pumps or other equipment. 
  • Defacing the utility’s website or compromising the email system. 
  • Stealing customers’ personal data or credit card information from the utility’s billing system. 
  • Installing malicious programs like ransomware, which can disable business enterprise or process control operations.

As a result of these impacts, the EPA further states these attacks can: 

  • Compromise the ability of water and wastewater utilities to provide clean and safe water to customers. 
  • Erode customer confidence. 
  • Result in financial and legal liabilities. 

That’s what’s at stake. But there is also a daily reality you face. 

  • Lack of budget: Like any municipality or municipal-owned utility, you are going to face budget shortfalls and tight budgets. You don’t have a blank check to solve all your cybersecurity challenges. 
  • Lack of personnel: You probably feel criminally understaffed at moments—trying to run such important operations on just a handful of people. It’s not uncommon for 1-3 staff to run many municipal water utilities. 
  • Lack of resources and technical ability: If you’re lucky, you might have access to a break/fix IT support vendor or a municipal IT staff person. And those people might not have the deep technical skills to assess and address your cybersecurity challenges. At small water plants, you may not have any IT help at all. 
long-time-exposure-of-the-river-aare-at-the-hydroe-2023-11-27-05-33-05-utc

Common Water System Cyber Threats and Vulnerabilities 

Most of the attacks we outlined in our timeline follow common patterns. Here are a few ways that water systems are most exposed to cyberattacks. 

  • Operational technology (OT) networks connected to an IT network and the internet: This is the biggest cyber threat oversight for most water utilities. Cyberattackers are experts at finding their way into your networks through internet and IT network vulnerabilities. Once inside your systems, they can navigate anywhere that’s connected to your IT network—including OT networks. Critical OT networks should not be connected at all to your IT network and the internet.
  • Lack of strong access control policies: The second-biggest cyber threat oversight is poor access control practices. That includes weak and default passwords, leaving default settings on for IT and OT equipment, and not deleting user credentials when employees leave.
  • Unsupported, outdated, and unpatched operating systems and software: When you use obsolete or outdated software no longer supported by the vendor, then you are using software riddled with security vulnerabilities. Even worse, water systems often don’t apply software patches in a timely fashion to more modern applications. Cyberattackers know that many water systems rely on aging software and poor patch management practices, taking advantage of that weakness by exploiting these vulnerabilities.
  • Lack of security awareness training: Many water system employees lack knowledge about current cyberattack methods, leaving them vulnerable to anything from spear phishing attempts to cyberattackers entering your network undetected because you’re unable to spot suspicious behavior. 

The good news? Water utilities are decentralized. Unlike the electrical grid, an attack on a water system will affect just that water system. 

The bad news? With such decentralization, water utilities are left to their own devices. Without regulations or mandates, poor cybersecurity is often inevitably the result. 

Let’s say you’re not one of the typical water systems. You recognize the need for help, and you understand the risks. Unfortunately, due to budget constraints and lack of technical expertise, it can be difficult to know where to begin. Your municipal boards might balk at replacing hardware or considering the use of a managed services provider. 

We’re not doing our job if some recommendations require significant investment. That’s just the reality. But as we’ll see, many issues can be resolved for little to no cost—giving you no excuse for inaction. 

What You Must Do to Protect Your Residents—and Your Country

Don’t wait until after an incident. You don’t want to be added to our timeline in a future version of this guide.

Despite the severity of the threats you face, basic cybersecurity best practices can fend off most of these nation state exploits. Here are the most important actions to take.

1. Get your operational technology (OT) off the public internet. 

This is the number one cause of incidents, and one of the easiest to fix.

Exposing OT systems to the public internet increases the risk of cyberattacks and other malicious activities that can disrupt water supply and treatment operations. Your OT systems often handle sensitive data related to the control and monitoring of water treatment processes. Ensuring this data is not accessible through the public internet helps protect it from unauthorized access and potential breaches.

To solve this problem, you need to: 

  • Segment networks: Create separate networks for OT systems and IT systems. If OT systems need to communicate with IT systems, implement controlled interconnections that strictly regulate and monitor data flow between the networks.
  • Use Virtual Private Networks (VPNs): For authorized personnel who need to access OT systems remotely, use VPNs to provide secure, encrypted connections.
  • Use secure protocols and encryption: Use secure communication protocols to encrypt data transmitted between OT devices and control systems, ensuring that data is protected from interception and tampering.
  • Inventory your systems: If you don’t know what you have, then access points could exist outside of your purview that hackers potentially exploit. Asset tracking involves recording the details of each asset including its current location, status, user, and history of maintenance and repairs. 
water systems workers

2. Implement Multi-factor Authentication (MFA) and strong password policies ASAP. 

Hackers are having a field day with water systems because they have such poor password hygiene. Here are a few areas you need to address now. 

  • Change default passwords NOW: A few water system breaches occurred because default passwords such as “1111” were never changed after the installation and configuration of software. Change any default passwords now and create a policy that default passwords must be changed as part of any software deployment. 
  • Use Multi-factor Authentication (MFA): MFA is one of the most important—and cheapest—cybersecurity best practices you can implement. It requires users to provide multiple forms of authentication, such as a password and a one-time code sent to a mobile device, to access a system. 99.9% of account compromise attacks can be blocked by MFA. Especially set up MFA for remote access. 
  • Deprovision user credentials after employees leave: We know you would like to trust former employees, but many water system breaches occurred when disgruntled employees accessed and attempted to sabotage water systems. Their user credentials should not have worked. If someone doesn’t work for you, they should not have access to your water system. A tool such as Microsoft Entra ID connects to line of business applications so that you can deprovision an account once and it will remove the user’s access from all applications. 
  • Use strong passwords: By strong passwords, we mean that they need to be long (at least 12 characters) and include a combination of numbers, upper and lowercase letters, and symbols. 
    For a sense of why, consider that hackers can: 

    • Instantly brute force a numbers-only password up to 11 characters, and take only 14 hours with a 17-character password. 
    • Instantly brute force a lowercase letter-only password up to 8 characters, and take only 14 hours with a 12-character password. 
    • Instantly brute force a password with upper and lowercase letters up to 6 characters, and take only 21 hours with a 10-character password. 
    • Instantly brute force a password with numbers, uppercase letters, and lowercase letters up to 6 characters, and take only 2 hours with a 9-character password. 
    • Instantly brute force a password with numbers, uppercase letters, lowercase letters, and symbols up to 6 characters, and take only 6 hours with a 9-character password.

Simply having a 12-character password with numbers, upper and lowercase letters, and symbols would take hackers 226 years to crack!

🔎 Related: Passwords—A Gaping Security Hole You Can Easily Plug

3. Implement and enforce strong access controls. 

Access control systems play a crucial role in protecting sensitive information, maintaining the integrity of systems, and preventing security breaches by detecting unauthorized access attempts. Implement controls to restrict employee access to information based on their job responsibilities. This includes: 

  • Maintaining user account logs: Generate audit logs and maintain records of access attempts and actions taken by users, facilitating security monitoring and investigations. 
  • Regularly reviewing and updating access permissions: Assign permissions and access rights based on predefined roles or job functions. As part of this process, you need to revoke or suspend access privileges when a user's role changes or when security concerns arise. Policies around user provisioning and deprovisioning also help to reduce breaches. 

4. Patch software and systems. 

Software and applications are susceptible to security vulnerabilities. At the same pace that vendors release patches to fix these vulnerabilities, cyberattackers exploit unpatched systems.

Timely patching helps address known vulnerabilities and protect against exploitation. Water systems need to establish a comprehensive and well-managed patch management process that includes regular risk assessments, clear communication, and prioritization of critical updates. Consider automating certain aspects of the patching process to improve efficiency and reduce the window of vulnerability.

Older or legacy systems may not receive patches or updates from vendors, which is part of the financial and risk assessment case to be made against keeping such old systems.

5. Conduct security awareness training. 

On average, water system employees have been in their jobs for more than 10 years. It’s easy to fall into a groove and miss out on how fast cybersecurity evolves. At the same time, it’s cumbersome to bring people in to do in-person training or send employees to classes.

Nowadays, security awareness training seamlessly fits into our work lives. Employees can watch videos and take training that is quick, flexible, and interactive. It’s easy to educate employees about the latest threats, best practices, and security policies. Training drills can include quizzes, interactive scenarios, and mock phishing emails to reinforce learning. 

6. Review your data backup and disaster recovery plan. 

No matter what you do, there is always a chance that a cyber incident could happen. You don’t want to be in a situation where you fail to avert a crisis, respond too late, or permanently lose important data.

Water systems need to develop and maintain a comprehensive disaster recovery plan to ensure business continuity after a cyberattack. While we’ve written a full disaster recovery guide for municipalities that also applies to water systems, a few of the most important aspects of disaster recovery include: 

  • Using onsite local data backups to lessen time to recovery for smaller incidents (such as a server failure). 
  • Using offsite data backup to plan for worst-case scenarios. Offsite means storing your data backups far from your geographical location. 
  • Monitoring your data backups. It’s important to identify problems with your onsite and offsite backups before a disaster occurs. 
  • Regularly testing your data backups. If you don’t test your backups, you won’t know if you will be able to recover after a disaster. 
  • Creating a disaster recovery plan that clearly outlines how your water system will recover your data and restore operations after a cyberattack or other disaster.   

7. Conduct a cybersecurity assessment. 

An assessment identifies vulnerabilities that could be exploited by attackers and gives you recommendations to address these weaknesses. Understanding your specific risks allows for the development of targeted strategies to mitigate them, reducing the likelihood and potential impact of a cyberattack.

To ensure a successful assessment, make sure you: 

  • Define the scope: Determine which systems, processes, and data will be evaluated. This may involve both IT and OT systems. Make sure you include critical assets that need protection such as SCADA systems, treatment facilities, distribution networks, and customer data. 
  • Assess current security measures: Evaluate existing security measures that you have in place. 
  • Conduct a risk assessment: Identify potential threats, vulnerabilities, and the impact of various cyber threats on your operations and data. 
  • Conduct vulnerability testing: Penetration testing and network scanning identifies weaknesses that could be exploited. 
  • Review policies and procedures: Examine your cybersecurity policies and procedures to ensure they are up-to-date and comprehensive. Review your incident response plan to ensure it is robust and includes clear procedures for detecting, responding to, and recovering from cyber incidents. 

Consider engaging external cybersecurity experts to conduct the assessment and provide recommendations. They can offer a fresh perspective and specialized expertise. Document the findings of the assessment and report them to relevant stakeholders, including recommendations for improvements and a roadmap for implementing them.

When you engage a managed IT service provider, an IT and cybersecurity assessment is typically done during onboarding so they can clearly understand your systems and both parties can get a baseline on your risk profile.

Stepping Up to Protect Our Critical Infrastructure 

The stakes of protecting water systems are high. Our residents, businesses, farms, healthcare facilities, and schools rely on your great work every day. A disruption to our water systems can seriously affect public health and economic wellbeing. Our nation’s adversaries currently exploit water system weaknesses to further their interests, humiliate the United States, and disrupt an essential part of our critical infrastructure. 

It's clear the cavalry isn’t coming from the federal government, and regulations prove unpopular. So, it’s up to you.

Will you face the hard reality of your limitations, educate yourself about what you can do in the near-term, and make the case for long-term improvements?

Or…just hope nothing will happen on your watch? 

engineer-take-water-from-wastewater-treatment-pond-2023-11-27-05-18-03-utc

Concerned About the State of Your Water System Cybersecurity? 

If your gut’s telling you that something may not be right with your water system cybersecurity, reach out to VC3 today. You don’t have to go it alone. Learn more about how VC3 can help.