How water and wastewater systems can meet the EPA’s cyber hygiene demands
The question of defending our nation’s most critical assets could previously be solved with physical solutions. A strong, well-guarded perimeter, a suite of surveillance systems, and robust entry control were often enough to deter the average trespasser.
Recent technological leaps and turbulent geopolitics, however, have forced a different answer to the question of securing critical infrastructure. While physical threats remain rampant—a hot topic at this year's ISC East conference was mitigating the impact of both domestic and foreign drone attacks on facilities—agencies like the EPA are urging operators to redirect their attention to intruders crossing the cyber perimeter.
New waves of cyber disruptions target crucial water utilities
Cyber-attacks on critical infrastructure have ramped up over the past few years, with specific focus on water systems. At the tail end of 2023, several water utilities across the United States were breached by threat actors, who hacked into the computer systems that enable the facility’s machinery to communicate. Early 2024 also saw water and wastewater systems targeted by cybercriminals, prompting a response from the Biden administration that placed some of the blame on Chinese nation-state actors.
The scale of these attacks was not the primary concern, however—it was the ease with which they were conducted. U.S. and Israeli authorities issued an advisory in the wake of these attacks that revealed the hacker’s use of default passwords to take control of industrial equipment, implying the neglect of basic cyber hygiene.
“Cyber weapons don’t cost a lot to build—it’s very easy to sow chaos,” says Dave Gunter, OT Cybersecurity Director at Armexa. “They can become weapons of terror and destruction. It’s the kind of world we live in now, however unfortunate.”
A threat of this magnitude cannot be ignored, as disruption of these critical resources means the loss of access to clean water for hundreds of thousands of Americans. This could prove especially disastrous if the U.S. enters a major conflict, as nation-state actors may attempt to cut citizens off from vital resources to sow discord and confusion throughout the country.
“Water systems aren’t connected like other utilities, like the electrical grid,” Gunter explains. “Taking the grid down can cause a host of impacts, but they can transfer resources to one another. Water systems are regional—and a region could cover millions of people. Imagine an attack on the city of Chicago, or Phoenix—what could that do?”
Enforcing cyber standards
In an effort to prevent these catastrophes before they occur, the EPA issued an enforcement alert in May 2024. The product of a government-wide effort to reduce cybersecurity vulnerabilities in U.S. water systems led by the National Security Council and the Cybersecurity and Infrastructure Security Agency (CISA), the new guidelines are designed to improve the dismal cyber compliance rates of these facilities through increased inspections and risk assessments. With the EPA discovering that over 70% of water systems in the U.S. do not meet these requirements, there is a lot of legwork to do.
“The EPA is following a trend we’ve seen in other industries,” Gunter elaborates. “The Coast Guard, for example, issues NVIC guidelines for maritime and port security inspections. The EPA has just added cybersecurity as an inspection point.”
At the center of this framework is compliance with the Safe Drinking Water Act, established to protect the quality of drinking water in the U.S. Under Section 1433, amended in 2018, facilities are required to conduct regular risk, resilience, and emergency assessments with specific guidelines to reduce exposure to public-facing internet, conduct regular cybersecurity assessments, change default passwords, and develop proactive cyber defense protocols, including incident response, recovery plans, IT/OT system backups, and cybersecurity awareness training.
The pain points of cyber hygiene
While this list may appear daunting at first, especially to smaller facilities with tighter budgets, Gunter says that the EPA is just ensuring all cyber bases are covered. “The EPA is looking to make sure people are doing the basics to reduce public-facing internet exposure in their facilities,” he comments. “They’re looking for simple cyber hygiene—have you completed risk assessments? Do you have a list of all of your OT assets? They’re not asking for heavy lifting; they’re asking for common sense.”
One of the first foundational aspects of maintaining cyber hygiene is conducting regular risk assessments. According to Gunter, however, not all risk assessments are equally worthy. “Consequence-based risk assessments are the real meat and potatoes,” he explains. “You need to identify the consequences for individual system disruptions: what can you live without, and for how long? What is your window of repair? Asking these simple questions drives you to investigate your cybersecurity in a wiser manner than if you just filled out a scorecard—you’re looking at real consequences for your team and community.”
As facility teams create incident response plans for process safety, so too must they build on their risk assessments to draft a plan of action in the event of a cyber breach. While this entails fundamental cyber hygiene practices like employee training and system backups, Gunter advocates specifically for critical infrastructure facilities to ensure that their equipment can run manually during an attack to minimize disruption. “In the water and wastewater business, systems are designed to ride out a network loss by running in manual,” Gunter explains. “Manual processes need to be drilled and tested to ensure that they are quick and simple and that everyone is ready for them.”
Gunter’s second foundational aspect of cyber preparedness—vulnerability management—is one of the best ways to ensure that the network breaches forcing manual operations are less likely to occur in the first place. The identification of zero-day vulnerabilities involving default passwords, for example, would have prevented threat actors from accessing internet-connected industrial equipment in previous attacks.
“If there’s a piece of high-impact software out there with a vulnerability, you need to make sure you have it managed to lower your attack footprint,” Gunter says. “Take stock of your devices and make sure they are behind a security barrier. Identify how many of them are connected directly to the internet, and make sure none of them have default passwords. Analyze software updates instead of implementing them automatically because they might disrupt OT systems.”
His vulnerability management strategy is composed of four aspects: treat, tolerate, transfer, and terminate. To treat a software vulnerability, patch it out. Identifying a low-risk vulnerability and making the informed decision to redirect resources toward more pressing threats is a toleration strategy. Calling in a process automation vendor or equipment owner to patch their software is a transference of risk responsibility to an informed party. If a piece of software introduces more vulnerabilities than is worth keeping up with, teams may choose to terminate that risk entirely.
“By following the simple precept of treat, tolerate, transfer, and terminate, you can build a common-sense approach to managing your vulnerabilities,” Gunter says. “Identify what your logic is, rationalize your approach, and document it.”
A culture of vigilance
All of this, Gunter says, can be boiled down into one key aspect of cybersecurity: vigilance. Keep a watchful eye on your assessed risks, response plans, and vulnerability management processes. Look out for physical security vulnerabilities that can impact cyber hygiene, like employees propping open doors to server rooms or allowing unauthorized guests to enter the premises.
“If you see something, say something,” Gunter finishes. “Identify red flags in your processes— not all systems are necessarily up to date. Any of these things can disrupt what comes out of our faucet, and we all take that for granted at times.”
