As water treatment plants become more digitized, their exposure to cyber threats has increased significantly. Ensuring cybersecurity for water treatment is vital to protect these critical infrastructures. Modern cybersecurity solutions for water treatment address the unique risks of operational technology (OT) networks while securing cloud systems that manage sensitive data. This guide explores various security measures designed to bolster the resilience of water and wastewater utilities.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) the United States contains over 153,000 public water systems and 16,000 publicly owned wastewater treatment systems which provide water to more than 80% of the U.S. population . The majority of these systems are smaller facilities with a lean staff.  

Despite this heavy reliance on drinking water systems, U.S. officials warn cybersecurity has been weak, with some surveys finding that only about 20% of publicly owned water systems have implemented basic cybersecurity measures, leaving the water sector “at risk” to cyber-attacks.  

Today, states have the main authority over water districts and enforcing standards and policies. In 2023, the Biden administration granted the EPA new authority to oversee and enforce the cybersecurity requirements for water districts, authorities, utilities and more nationwide.

Many water and utilities companies lack the resources for constant monitoring of digital assets and have limited personnel to monitor IT and OT/SCADA, leading to several issues for their security team. For example, because IT and OT tools are traditionally siloed, each team has a misunderstanding of the other’s duties.  

Smaller utilities or water organizations may leave OT security to site managers; skilled engineers with deep knowledge of network architecture or physical security, but limited awareness of how to assess and manage cyber risk. While larger organizations tend to have a greater segmentation between duties, furthering the divide.

‍

Water treatment facilities have become prime targets for cyber-attacks due to their critical role in public health and infrastructure. Bad actors, including foreign adversaries, understand the impact of disrupting these systems, which provide essential services to millions of people and industries. A successful attack could lead to contaminated water, system shutdowns, and widespread panic.

Why target this sector?

The water treatment sector is often targeted by foreign adversaries to destabilize a government or gain geopolitical leverage because they play a crucial role in public health. Because of the underlying impact to public safety, cybersecurity for public water treatment facilities is usually accompanied by a series of rules and regulations by national authorities making security a constant point of emphasis.

Key vulnerabilities

As more operations move online, especially with cloud security in water treatment, facilities are exposed to new risks. Cloud-based platforms improve efficiency but also open the door to unauthorized access and potential cyber-attacks. The addition of cloud technology to any facility that includes operational technology (OT) risks increasing exposure of critical assets. Security practitioners have traditionally accommodated this risk by isolating physical devices from any IT software to ensure their safety. However, with the addition of new technologies, this is becoming increasingly difficult.

Growing cyber threats

With water management, operations, and service delivery increasingly handled online, hackers can exploit unpatched software, unprotected endpoints, and weak IT-OT integration. Now more than ever we are seeing an increase in organized cyber crime in the form of Malware-as-a-Service. Many of the prevalent threats observed by Darktrace heavily utilized Malware-as-a-Service (MaaS) tools. This is likely because of the lucrative subscription-based income of MaaS ecosystems as well as the low barrier to entry and high demand.  

To learn more about the most prominent threats in cyber today, read the Darktrace Half-Year Threat Report here.

Without robust cybersecurity water treatment strategies, these vulnerabilities can be exploited, putting essential services at risk.

Water treatment facilities, including wastewater utilities, face a wide range of cyber threats that can severely disrupt their operations and compromise public safety. The most common types of cyber-attacks targeting this sector include:

Ransomware

Ransomware is a type of malware that encrypts valuable files on a victim’s device, denying the account holder access, and demanding money in exchange for the encryption key. Ransomware has been increasingly difficult to deal with, especially with ransom payments being made in crypto currency which is untraceable. Ransomware can enter a system by clicking a link dangerous or downloading malicious files.

Malware

Malware is another significant threat to wastewater utilities. Malware is a malicious software designed by a cyber criminal attempting to infiltrate a device and disrupt, steal, or exploit sensitive information. There are many types of malware and each involve a different method of exploitation. However, in most cases the cyber criminal wants to gain access to information that could harm the user to either financially benefit themselves through the form of a ransom or identity theft.

Phishing

Phishing is the process of sending fraudulent emails, while posing as legitimate sender, to convince people to reveal sensitive information such as passwords, social security numbers, bank account information, and more.  

Email phishing is one of the most common ways attackers are able to successfully infiltrate systems.

IT teams can take as long as 13 days on average to recognize new phishing attacks, according to research conducted by Darktrace, and by focusing on historical attack data they can only catch up with threats they have seen before.

Learn how modern threat actors use AI to turbo-charge their phishing attacks in the white paper "How AI is Changing the Phishing Landscape."

Insider threats

Insider threats occur when employees or contractors misuse their access to systems, either maliciously or unintentionally. In water treatment, insiders could manipulate operational controls, disrupt service, or leak sensitive information. Insider attacks can be particularly damaging, as they bypass many traditional security measures.

Cyber-attacks on the water and wastewater utility sector can have severe and far-reaching consequences. The worst-case scenario involves compromised water quality, service outages, and even threats to public health. If attackers manage to alter chemical levels or disable critical systems, contaminated water could reach the public, potentially causing illness or even death.

Reputation damage

For a water treatment organization that suffers a cyber-attack, loss of public trust in water safety could lead to long-term damage, with customers demanding stronger cyber resilience measures. The public may also lose confidence in the utility’s ability to deliver safe water, creating public backlash and scrutiny from regulators.

Financial impact

Cyber-attacks are costly, from direct recovery expenses to regulatory fines. Companies may face significant financial losses as they work to recover compromised systems, secure data, and restore operations. In addition, businesses could be hit with lawsuits from affected customers or industries that rely on water for production.

Employee and operational strain

The aftermath of an attack often creates more problems for employees who have to deal with disrupted operations and increased pressure to fix the damage as quickly as possible. In some of the worst cases, skilled workers may leave making it even harder to maintain daily operations.

Recent incidents

In Texas, the cities of Hale Center, Muleshoe, Lockney, and Abernathy were targeted by cyber-attacks, leaving these rural water systems exposed. These incidents highlight how vulnerable smaller utilities are to cyber threats, especially when they lack advanced cyber resilience strategies. The attacks disrupted operations and put these communities at risk, underscoring the need for improved security measures across all water and wastewater utility systems.

Unlike traditional tools, Darktrace does not rely on rules, signatures, or historical attack data. Instead, it understands everything in your organization from the ground up and detects subtle deviations indicative of a cyber-threat. With its ‘Unified View’ of enterprise (IT) and industrial (OT) environments, Darktrace is uniquely positioned to deal with IT/OT convergence and IT/OT interdependence through an easy-to-use UI and executive level reporting that can be understood by anyone in both IT or OT regardless of the origin of the alert.  

Darktrace’s AI technology can:

• Take action at the DMZ
• Stop threats in IT before they spread to OT
• Illuminate unknown points of IT/OT convergence

Darktrace / OT, specifically designed to protect IT/OT environments, can act against suspicious activity at the DMZ or network boundary to prevent an attacker pivoting from IT into OT and performing lateral movement into control systems. All the while, other devices critical to safety can be left untouched to ensure operational continuity.  

Darktrace can also detect known vulnerabilities to devices and autonomously increase security measures around the device until the vulnerability is patched. By updating its understanding of normal, Darktrace learns on the job and can evolve with a business without the need for periodic baselining, updated rules, or growing alert creep over time.