Water & Wastewater Industry

Protecting a nation’s critical infrastructure against an ever-growing arsenal of AI-powered cyber threats is crucial, particularly in the water and wastewater industry. With the rise of operational technology (OT) and the need for secure remote access, the risks and consequences of cyber attacks have grown significantly.

OT has made it possible to optimize the operation of water and wastewater facilities, but it has also created new risks that must be addressed. Water and wastewater companies are vulnerable to cyber-attacks that can disrupt operations, compromise public safety, and cause significant financial loss.

The water and wastewater sector is experiencing an increase in AI-powered cyber incidents, making it crucial for their operators to prioritize OT cybersecurity.

Water And Wastewater Graph

The Escalating Threat to the Water and Wastewater Industry

The water and wastewater industry has increasingly been the target of cybercriminals, bad actors, and hostile nation-states, and recent incidents highlight the importance of cybersecurity in this sector.

The US alone has about 150,000 public water systems and 16,000 publicly owned wastewater systems. This industry has been specifically targeted by bad actors recently, and in recognition of this ongoing threat, CISA announced a free Cyber Vulnerability Scanning Service for Water Utilities.

Recent hacks include the Municipal Water Authority of Aliquippa, Hawaii Water Utility, and the North Texas Municipal Water District. In January of 2021, the San Francisco Bay Area experienced a cyber attack when a  group of hackers used a former employee's username and password, which had not been removed from the system, to access a water treatment facility. 

Using outdated software and widely shared login credentials, hackers also accessed controls for a water treatment facility in Oldsmar, Florida, in February 2021. The hackers attempted to increase the levels of sodium hydroxide to toxic levels and contaminate the water supply of the town's 15,000 residents. Luckily, an alert user noticed the mouse movement and informed the authorities. This incident brings attention to the vulnerabilities posed by remote access systems, which are becoming increasingly prevalent in critical infrastructure IT systems and represent significant cybersecurity risks.

As Generative AI (GenAI) is used to enhance phishing and reconnaissance of public utilities, these threats will grow, and the consequences could be fatal for communities.

Potential Consequences of Cyber Attacks on the Water and Wastewater Industry

Successful cyber-attacks on the water and wastewater industry can have far-reaching consequences. These attacks can disrupt treatment and conveyance processes by manipulating equipment, disabling pumps, or overriding alarms. Attackers can also deface the utility's website or compromise the email system, putting customer data and billing information at risk of theft. In some cases, malicious programs such as ransomware can be installed, causing severe damage to business operations.

The effects of such attacks can be disastrous, compromising the ability of water and wastewater utilities to provide clean and safe water to their customers. This, in turn, can erode customer confidence, leading to financial and legal liabilities. The potential harm caused by successful cyber-attacks underscores the importance of implementing robust cybersecurity measures to protect against such threats.

Security Challenges in the Water and Wastewater Industry

The water industry faces unique security challenges in the realm of cybersecurity. Although all utility sectors encounter these challenges, the water industry is particularly vulnerable and is being specifically targeted by bad actors. Unlike the electric, oil, and gas industries, no standardized set of rules or regulations for securing water utilities exists. As a result, there are numerous potential security gaps due to the disparate nature of system implementation.

Additionally, cybersecurity practices are outdated in many parts of the country, and weaker identity monitoring and access management tools increase vulnerability. The facilities are usually lightly staffed, and the existing IT security solutions are a poor match for the cybersecurity needs of an OT network. 

In a 2019 report, the American Water Works Association (AWWA) recognized the paramount risk of cyber risk to critical infrastructure, citing insufficient human, technological, and financial resources as primary barriers to comprehensive security measures and robust defenses. Hackers are keenly aware of the potential impact on the population, giving them the upper hand when breaching frontline security.

Ransomware is a common tactic used by attackers, who exploit these vulnerabilities in exchange for sizable payments. Reports indicate that ransomware attacks on the water utility industry are increasing, putting individuals all over the country at risk.

BlastWave’s Water and Waterwaste Industry Solutions

The water and wastewater industry provides essential services to the public and relies on technology like SCADA systems, making them a prime target for cyber attacks. Cybersecurity breaches in these OT systems can lead to disruptions in service, financial losses, and reputational damage.

Water Treatment Image
Make Devices Undiscoverable OT Security

Network Cloaking:

Network Cloaking ensures that critical yet outdated legacy infrastructure such as PLCs, sensors, and pumps—becomes invisible to external threats. Rather than just obfuscating these systems, they do not appear in any scans or probes from a hacker. With BlastShield, water systems operators ensure security and compliance with industry standards and guidance like NIST 800-53, 800-207 (Zero Trust), and IEC 62443. AI-enhanced reconnaissance tools cannot probe into the internal workings of a water facility because they have no path to reach the internal OT networks.

OT Secure Remote Access:

BlastShield provides OT Secure Remote Access to critical OT water systems, ensuring operators can monitor and manage them without exposing them to cyber threats. BlastShield’s phishing-resistant MFA biometric authentication protects against GenAI-powered phishing attacks and MFA hijacking. A full mesh of P2P encrypted tunnels is created to secure traffic from remote users to the water facility and any agent-enabled systems, protecting against Man-in-the-middle attacks.

Network Segmentation (MicroSegmentation):

BlastShield simplifies the challenge of microsegmentation by creating simple peer-to-peer encrypted and authenticated tunnels to each device or group of devices without complex firewall rulesets. IT and OT network staff and temporary contractors are permitted access to only the systems they are responsible for, and privileges can be granted and revoked in real-time. BlastShield prevents lateral movement by Secure Remote Access users within the network and can even provide lateral movement protection at Layer 2 for local network connections.