Water Systems Facing Unique Cyberthreats

Turn to the nation's most objective and informative daily environmental news resource to learn how the United States and key players around the world are responding to the environmental...

By David Schultz

Water utilities face unique cybersecurity threats and federal officials who work on both environmental protection and law enforcement are urging the utilities to assess their vulnerabilities in this area.

This will become a greater issue in the future, federal officials said, as more water systems try to cut costs by moving toward full automation.

The EPA has been collaborating with the Department of Homeland Security to develop new training materials that are tailored specifically to the water industry, especially to small systems that serve rural communities. David Travers, director of the Environmental Protection Agency’s water security division, said much of the existing cybersecurity training is broadly geared toward all utilities.

“A lot of this stuff is completely impenetrable to people in our sector,” he said at a March 13 conference of state drinking water administrators.


Helen Jackson is with the DHS Office of Cybersecurity and Communications. She said she mainly works on the “pre-boom” issues of assessing risks and preventing incidents, rather than the “post-boom” tasks of detecting breaches or recovering compromised infrastructure.

Jackson said the cyberthreats to water utilities can come in a number of different forms: there’s ransomware, in which hackers demand compensation to relinquish control of equipment they have hijacked, or insider threats, which involve a system being compromised by someone who was granted access by the utility. Jackson cited a 2015 IBM survey that found insider threats constitute more than half of all corporate cybersecurity incidents.

Then there are the threats to a utility’s equipment posed by the equipment itself. Jackson said, as supply chains become more complicated, “it’s difficult to really understand the companies and products you’re purchasing.”


Travers said this is something utilities need to keep a close eye on, especially since the move to automation means some water treatment facilities are now no longer staffed around the clock.

“We’ve become increasingly vulnerable,” he said. “As we rely on a fully automated system, I think there’s a certain degree of expertise that’s lost. ... Now you have operators who may not know how to run the system” during an outage.

Jackson encouraged the heads of water utilities to use a tool developed by the National Institute of Standards and Technology to help federal agencies and private companies assess their cybersecurity risks.

Travers also said holding in-person, tabletop simulation exercises can be an especially effective tool. He cited one of these exercises the EPA organized in Georgia last summer that simulated how water utilities would respond to a hurricane, just two months before Hurricane Matthew actually did hit the state.

To contact the reporter on this story: David Schultz in Washington at dSchultz@bna.com

To contact the editor responsible for this story: Larry Pearl at lpearl@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Environment & Energy Report