In March 2024, the Environmental Protection Agency administrator and national security advisor sent a letter to state governors warning them to safeguard their water infrastructures against increasing cyberattacks.
The warning wasn’t based on cyber theory or only for large cities. In fact, most recent attacks have been on rural areas.
In January 2024, cybercriminals infiltrated the water system of a rural Texas town, according to The Texas Tribune. This wasn’t an isolated incident. It was one of several attacks on rural towns in the past year, all perpetrated by a Russian cybergang. These attacks have drawn attention from the FBI and Cybersecurity and Infrastructure Security Agency (CISA).
In one case, the Russian cybergang attempted 37,000 hacks in four days. In response, local officials rapidly unplugged their systems and switched to manual operations. In April 2024, the same Russian hackers attacked a rural town in Indiana.
Rural areas might seem like unlikely targets. But from a threat actor’s perspective, they’re an excellent place to run surveillance and practice bypassing cybersecurity systems.
According to CISA, there are 153,000 public drinking water systems nationwide, and over 80% of the population gets potable drinking water from these systems. About 75% of the nation’s sewage is treated by 16,000 publicly owned wastewater treatment facilities.
Infrastructure targets
Water treatment and sewage processing facilities ensure the public has clean drinking water and sanitary wastewater disposal. These facilities depend on technology to operate, opening them up to cybersecurity risks and liabilities. These risks can have severe consequences for the communities the facilities serve.
Cybercriminals can infiltrate the facilities to acquire sensitive data, including employee information, financial details, infrastructure plans and cybersecurity. Even if a cyberattack breaches an infrastructure but doesn’t attack the facility immediately, it doesn’t mean the threat is over. Information gathered from a data breach is valuable. Cybercriminals can:
- Sell the operational and security system data on the dark web to create more efficient attacks in the future. For example, many water treatment facilities use Internet of Things devices to monitor and control their processing systems efficiently. These devices often lack robust security and can be exploited to crawl systems and gain unauthorized access.
- Steal and sell customers’ and employees’ personally identifiable information (PII).
- Target operational systems, causing disruptions, blockages and system failures. Cybercriminals can take over water treatment systems to contaminate water or cut off water flow, causing financial losses and endangering public health.
In addition to the public health risk, water treatment facilities can face liabilities such as:
- PII exposure, leading to significant penalties and sanctions
- Financial losses, including the substantial costs of computer replacement and cybersecurity
- Reputational damage, including loss of business partnerships and public trust
Reduce your water treatment facility’s risk
Mitigating these operational risks involves implementing robust security measures, including firewalls, antimalware and intrusion detection systems.
CISA also suggests the following:
- Reduce exposure to public-facing internet and other vulnerabilities.
- Conduct regular cybersecurity assessments.
- Change default passwords on all systems immediately.
- Inventory technology assets.
- Develop and practice a cybersecurity incident response and recovery plan.
- Back up all operating systems and critical data.
- Conduct cybersecurity awareness training with employees.
Ensure your city’s municipality is taking cybersecurity seriously. Use CISA’s Top Actions for Securing Water Systems Toolkit as a starting place. Contact the EPA’s free technical assistance program to help improve your water treatment facility’s cybersecurity.
Stay on top of insurance coverage
Contact your insurance agent to ensure you have cyber liability coverage. Your agent can review coverage options that can be indispensable after an attack, especially if you need help restoring your systems.
Contact Us
To learn more about unique municipality risks and how to address them, contact our OneGroup Municipality team.
Matt Maguire, Regional President, North Country at MMaguire@OneGroup.com.
Todd Goodman, Risk Management Consultant at TGoodman@OneGroup.com.
This content is for informational purposes only and not for the purpose of providing professional, financial, medical or legal advice. You should contact your licensed professional to obtain advice with respect to any particular issue or problem. Please refer to your policy contract for any specific information or questions on applicability of coverage.
Please note coverage can not be bound or a claim reported without written acknowledgment from a OneGroup Representative.
Written content in blog post: Copyright © 2024 Applied Systems, Inc. All rights reserved.