Clean Water, Cybersecurity: Another OT Sector at Risk

Written August 26th, 2021

Post Tags: cybersecurity, energy sector, operation technology, thoughtleadership, utilities, water

America’s Drinking Water Is Surprisingly Easy to Poison” headlined the ProPublica article about February’s cyberattack on the Oldsmar, Florida wastewater treatment facility. Indeed, this summer’s Water and Wastewater Cybersecurity 2021 State of the Sector (.pdf) report confirms that cybersecurity is a rising concern. Produced by the Water Sector Coordinating Council, a collection of water-related authorities, the report is the first of its kind. It demonstrates that operation technology (OT) continues to be challenging infrastructure to protect.  

OT cybersecurity risk isn’t limited to the water sector. Industrial systems in every sector are increasingly looking for opportunities to harden their security. As smart sensors allow more systems connect to one another and the internet for efficiency and cost savings gains, the cybersecurity risks rise. These rapid changes are being addressed in all sectors, from water to the energy sector. Yet – few would argue that protecting clean drinking water is among our most valuable assets.

The 2021 State of the Sector report gathered information in April. It shows an industry proactively strengthening security with an eye toward resiliency in some quarters, but largely a sector with great unmet needs, uneven resources, and mixed results. This state isn’t unique to natural resource management but especially urgent due to water’s importance.  

water treatment operation tech

Cybersecurity Challenges Unique to Water and Wastewater

There are 52,000 community water systems and approximately 16,000 water treatment plants in the United States, according to the report. All are potential targets of cybercrime.

The sector has some very specific challenges that affect cybersecurity capacity, including:

  • Budgetary shortfalls common to public utilities and cooperatives alike; and, privately owned water systems are not immune
  • Aging infrastructure in dire need of repair, including many municipality systems over 100 years old, putting strain on budgets
  • A lack of technical training, tools, and assistance specific to cybersecurity defense
  • Fierce competition with other industries for cybersecurity talent

“Further, nearly 30% [of survey respondents] indicated a need for information technology (IT) and operational technology (OT) supply chain integrity, which demands strong federal leadership,” says the report.

Water Sector’s OT Cybersecurity Needs

Regardless of respondent work context (public versus privately owned, or drinking-water, wastewater, or combined water utility provider) there were some eye-opening cybersecurity stats. Among them:

  • 38% of systems allocate less than 1% of budget to IT cybersecurity. (Only 4.1% of systems allocate greater than 10% of budget to IT cybersecurity.)
  • 44.8% of systems allocate less than 1% of budget to OT cybersecurity. (Only 1.7% of systems allocate greater than 10% of budget to OT cybersecurity.)
  • 26.72% of respondents said that cybersecurity risk assessments were performed less than once annually. A further 16.88% admitted that no cybersecurity risk assessments were performed. Only 5% claimed to do weekly risk assessment.

“The number one challenge for systems serving more than 100,000 is creating a cybersecurity culture within the utility,” says the report.

Looking specifically at OT – which refers to infrastructure that manages programmable devices, and monitors and controls physical processes – a lot remains a work-in-progress. 30.5% of utilities have identified all OT-networked assets. An additional 22.5% are still working to identify all OT-networked assets.  

The report goes on to say that “77.8% of systems reported no OT cybersecurity incidents in the last twelve months.” No incidents – or no known incidents? As in other sectors, OT and IT are beginning to appreciate the need to collaborate expertise for the strongest security stance. And again, this is a cultural shift as much as a technical one.

As the ProPublica article quoted above said of the quick resolution of the Oldsmar cyberattack: “They didn’t win a game. They averted a disaster through a lot of good fortune.” Let’s hope fortune holds. All sectors, including water, have a lot of work to do to enhance OT cybersecurity.

Photo by Ivan Bandura