How do we protect our public utilities?

By Joel Cox, GICSP, GPEN, GRID, CCNA, Cybersecurity expert at West Yost and Kevin Morley, PhD, American Water Works Association, Federal Relations Manager

This article contains and answers the following:

[WY] In an era where cybersecurity threats are becoming increasingly sophisticated, the public utilities sector, particularly water systems, faces unique challenges. To shed light on these issues, West Yost reached out to Kevin Morley, a leading expert in the field, who has been at the forefront of cybersecurity initiatives for over two decades. This exchange provided valuable insights into the challenges, current landscape, and future trends in cybersecurity for public utilities. 

“Implementing some basic blocking and tackling can go a long way to reducing threats facing water systems.”

[WY] Before we dive into the current landscape, let us introduce Kevin Morley. His journey into cybersecurity began shortly after the events of September 11, 2001. He was involved in one of the first vulnerability assessments under the Bioterrorism Act of 2002, which required systems to consider cybersecurity threats. Since joining the American Water Works Association (AWWA) in 2003, he has led efforts on risk and resilience, including cybersecurity. In 2007, he partnered with the Department of Homeland Security to develop a roadmap for advancing cybersecurity in the water sector, which laid the foundation for integrating cybersecurity into multiple AWWA standards. 

[WY] Right now, there are numerous challenges that public utilities like water face in addressing cybersecurity threats.  

[WY] What are some common cybersecurity threats the water sector should be aware of?  

[KM] “The capability of criminal enterprises and state-affiliated threat actors has become persistent and increasingly more sophisticated [over the past few years]. There has also been greater targeting of operational technology across critical infrastructure systems including water systems. That means that water systems of all types and sizes are not immune from this threat. Ransomware is still the most common type of attack given the monetary objective.” 

Additional Challenges Include:  

[KM] “Transitioning from legacy technology is a big issue for many systems in terms of cost and time necessary to effectively implement.” 

[WY] Think of those big software upgrades on your devices that require you to restart your device and take about an hour. Now imagine that, but for a whole computer room that services thousands of people who will be impacted by the disruption. This type of transition is necessary but requires an implementation plan. 

[KM]“Utilities are facing competing priorities on budgets strained by new regulatory obligations from the PFAS (forever chemicals) and Lead/Copper rule totaling approximately $6 billion per year.”  

[WY] In April, the EPA announced that it would be implementing drinking-water regulations for PFAs that public water systems must follow. The current timeline is public water systems have 3 years of initial monitoring (by 2027), 5 years to implement solutions to reduce PFAS (by 2029), and after 2029 any violations will face consequences. Implementing PFAS-reducing technologies will cost significant funds and time, with the current deadline being 2029 it has become a top priority on the public water systems’ budget.  

[KM] “Technology providers need to be more explicit in how they are implementing “Secure by Design” principles so that the entire burden of cyber risk management is not solely carried by the end users.”  

[WY] This would mean adding software to be proactive towards potential security threats instead of having reactive systems. To add this type of software, it requires time and money that may not be currently available.  

[WY] What are the risks if you do not identify and secure these vulnerabilities?   

[KM] “The biggest threat at this moment is a bad actor gaining access control or management of your facility. There have been several incidents in the past year that brought significant attention to vulnerabilities in the water sector.”

[KM] “A common vulnerability is a poorly configured system with no access control such as MFA and a device is discoverable on the public internet. In one instance these vulnerabilities led to finished water storage being accessed and overflowing. Implementing some basic blocking and tackling can go a long way to reducing threats facing water systems.”

“Foreign threat actors are targeting operational technology in critical infrastructure systems that support national security functions. As tensions rise internationally that type of asymmetric conflict can easily escalate with little effort as compared to conventional tactics.” 

[WY] In January, a small water treatment facility in Muleshoe, Texas was victim to a cyberattack. The attack caused a system malfunction, resulting in the water tank overflowing for 30 to 45 minutes. The incident may not have had a significant impact this time, but critical infrastructure owners/operators must be vigilant in preparing for the next attack. (Read more here)

[WY] Are there specific strategies that can mitigate these threats? 

1. [KM] “Publicly facing devices on the internet ” 

How to Fix it:

[KM]”Enroll in CISA’s Vulnerability Scanning for an external scan of the network to ensure system identifies publicly facing devices”

2. [KM] “Remote access lacking multifactor authentication (MFA)”  

How to Fix it:

[KM] “Implement MFA, especially for remote access”

3. [KM] “Not having a unique username and strong password” 

How to Fix it:

[KM] “Implement unique usernames and strong passwords, ideally 12-15 characters.” 

Bonus Tip

[KM] Evaluate the ability for manual control and/or associated contingencies as part of an incident response plan. 

[WY] Best practices and cyber protection are always changing. It is important to be aware of potential threats that can emerge in the future. Kevin shared a current trend he is seeing in the industry and the potential risks that may come from potential future exposures.  

[WY] What emerging trends in cybersecurity should the water sector be preparing for? 

[KM] “Growing dependency on third-party services provides great efficiency but also introduces a threat vector that must be managed properly. This includes increasing applications of ‘artificial intelligence’ that introduce concerns with data protection and privacy that require thorough vetting to understand risk exposure. 

Foreign threat actors are targeting operational technology in critical infrastructure systems that support national security functions. As tensions rise internationally that type of asymmetric conflict can easily escalate with little effort as compared to conventional tactics.” 

[WY] Cybersecurity in the public utilities sector is a critical issue that requires ongoing attention and proactive measures. By implementing basic cybersecurity practices and staying informed about emerging threats, utilities can better protect their systems and ensure the safety and reliability of their services. 

Are there any closing thoughts you would like to leave with our readers?  

[KM] “A great starting place is the guidance and self-assessment tool that AWWA developed to help utilities determine the cyber controls that are most applicable to their operations based on the type of technologies they use daily. This is free to all water systems. This also facilitates compliance with the cyber provisions in AWIA §2013.”

[WY] Kevin also recommends enrolling in CISA’s vulnerability scanning to receive weekly reports on potential vulnerabilities based on an external scan of the network.

“Basically, CISA is informing entities of what the bad guy sees when they do a virtual drive-by of your network.” 

By Joel Cox, GICSP, GPEN, GRID, CCNA, Cybersecurity expert at West Yost and Kevin Morley, PhD, American Water Works Association, Federal Relations Manager

Joel Cox is a tech specialist focusing on network communications and cybersecurity. He has managed IT and OT systems for various sectors, including manufacturing and municipal services. His expertise includes project management, disaster recovery, information security, and virtualization. Joel led an IT team to IPO for an identity theft protection firm, ensuring rigorous security standards. He has maintained ISO 27001 and PCI certifications and has been featured in IBM SAP marketing materials.

Kevin M. Morley, PhD is the Manager of Federal Relations for the American Water Works Association (AWWA). He collaborates with organizations like EPA, CISA, and FEMA to enhance the security of critical infrastructure. Kevin has expanded mutual aid via the WARN initiative and developed water sector standards for security and preparedness. He recently led the adoption of the NIST Cybersecurity Framework for the water sector and manages regulatory matters related to risk management and source water protection.