Water and wastewater facilities are increasingly vulnerable to cybersecurity attacks from a wide range of criminal actors. But because this is often a vast and vague threat, where do operators begin?
Try this: Change your work accounts’ passwords now. Before reading any further, go ahead and update your most important passwords.
All set? Let’s proceed.
Robert Siciliano, cybersecurity expert, spoke at the WWETT Show in Indianapolis Feb. 19, outlining the potential (and very common) gaps in security across the industry. He suggested that it’s often the simple proactive fixes that can stop a consequential attack in the future: unique passwords, two-factor authentication, firewall management.
“While there are vulnerabilities in hardware and vulnerabilities in software, passwords are often the biggest target,” he said. “If you’re not engaging in basic cybersecurity 101, this can happen to your facility.”
“This” means big problems for your facility and perhaps your broader network.
A cybersecurity breach at a water or wastewater facility can disrupt essential services, posing serious operational and public health risks. Attackers can manipulate treatment processes, alter chemical levels, shut down pumps, or lock operators out of critical SCADA systems. These disruptions can lead to unsafe drinking water, sewage overflows, and environmental contamination—potentially resulting in regulatory violations and reputational damage.
Beyond operational disruptions, a breach can have significant financial and legal consequences. Non-compliance with cybersecurity mandates can lead to regulatory fines, while ransomware attacks often result in costly downtime or extortion payments. Facilities also risk lawsuits if customer data or sensitive infrastructure details are exposed. Additionally, insurance premiums for cyber coverage may increase, and supply chain disruptions can drive up costs for essential treatment chemicals and equipment.
With water and wastewater infrastructure increasingly targeted by cybercriminals and even nation-state actors, proactive cybersecurity investment is no longer optional. Strengthening network protections, employee training, and access controls can mitigate threats, while regular risk assessments help ensure compliance with evolving regulations.
These attacks are legion; consider the following quote from a news story from late 2024:
- In one incident, pro-Iranian hackers penetrated a Pittsburgh-area water utility’s PLC and defaced the touchscreen with an anti-Israel message, forcing the utility to revert to manual control of its water pressure-regulation system. A water and wastewater operator for 500 North American communities temporarily severed connections between its IT and OT networks after ransomware infiltrated some back-end systems and exposed its customers’ personal data. Customer-facing websites and the telecommunications network at the US’s largest regulated water utility went dark after an October cyberattack.
There’s an undeniable sense of urgency here. Not only are our networks becoming more complex (and thus more entangled and rich with personal data), but malicious actors are only growing more sophisticated.
Siciliano offered several practical tips for shoring up your facility’s cybersecurity:
1. Strengthen Password Management
Using unique and complex passwords for each login is critical to prevent unauthorized access to sensitive systems. Implement the following:
- Require complex passwords: Use at least 12-16 characters, combining uppercase and lowercase letters, numbers, and special characters.
- Change passwords regularly: Rotate passwords every 60 days to minimize exposure risk.
- Use a password manager: Employees should not reuse passwords across different systems. A password management tool can securely generate and store complex passwords.
- Enforce account lockout policies: Limit failed login attempts to mitigate brute-force attacks.
2. Enable Two-Factor Authentication (2FA) for Secure Access
Requiring multi-factor authentication (MFA) significantly reduces the chances of an unauthorized breach.
- Apply 2FA to all remote access points, including VPNs, SCADA systems, and cloud-based operational tools.
- Use authentication apps (like Google Authenticator or Microsoft Authenticator) instead of SMS-based 2FA, which is more vulnerable to phishing attacks.
- Limit login access to pre-approved devices to prevent unauthorized network entry.
3. Request a Cybersecurity Evaluation from the U.S. EPA
The U.S. EPA offers free cybersecurity assessments to help water and wastewater utilities identify vulnerabilities and improve resilience.
- Sign up for the Cybersecurity Technical Assistance Program here.
- Schedule an on-site or virtual assessment to evaluate current security measures.
- Receive tailored recommendations to improve security posture and compliance with federal guidelines.
4. Implement Regular Cybersecurity Training & Phishing Simulations
Human error is one of the biggest cybersecurity risks. Consistent training helps employees recognize and prevent threats.
- Conduct ongoing phishing awareness training: Train employees to identify suspicious emails, attachments, and links.
- Simulate phishing attacks using internal security tools to test staff responses and reinforce best practices.
- Make cybersecurity a regular conversation by incorporating discussions into staff meetings and emergency preparedness drills.
5. Deploy AI-Based Network Monitoring for Anomaly Detection
AI-driven security tools can proactively detect suspicious behavior and potential cyber threats before they escalate.
- Install AI-based network monitoring to track unusual data flows, unauthorized access attempts, and system anomalies.
- Set automated alerts for suspicious activities, such as failed login attempts, unrecognized IP addresses, or unexpected data transfers.
- Use AI-powered threat intelligence to analyze and predict potential attack patterns based on global cybersecurity trends.
6. Stay Informed with Cybersecurity News & Alerts
Cyber threats evolve rapidly, making it essential for water facility leaders to stay updated on the latest cybersecurity risks and best practices.
- Set up Google Alerts for terms like “cybersecurity wastewater” or “SCADA system security breach” to receive real-time updates.
- Follow industry cybersecurity sources, such as CISA, the U.S. EPA, and WaterISAC, for alerts on vulnerabilities targeting water and wastewater infrastructure.
- Subscribe to cybersecurity newsletters from organizations like CISA, NIST, and the Water Sector Coordinating Council to receive monthly updates on emerging threats.
By integrating these practices, water and wastewater facilities can significantly improve their cybersecurity defenses, protect critical infrastructure, and ensure the safety of public water systems.
