How safe is our water infrastructure from the next cyberattack? Can hackers cripple a large dam or shut off water service to an entire city? Although there has been increased attention and media focus on privacy and data security following recent data breaches and global ransomware cyberattacks, it is important to consider the cybersecurity risks posed to our nation’s vital infrastructure, in particular water management systems. The cybersecurity challenge faced by the water sector is significant. It is defined by challenging vulnerabilities, dedicated and well-resourced threats, and potential consequences that could affect countless Americans and cause severe economic damage. Managing this risk will require concerted effort to, among other things, fix vulnerabilities in legacy infrastructure, cooperate with law enforcement to deter and apprehend cyber criminals, and ensure that the water system remains resilient under even the most challenging conditions.

The risk to water infrastructure is not remote. Cyber criminals, including those affiliated with foreign governments, have already attempted, and in some cases succeeded, in hacking water infrastructure. According to an unsealed New York federal grand jury indictment, in August and September 2013, Hamid Firoozi, an Iranian computer expert with ties to the country’s intelligence agencies, accessed control systems for the Bowman Avenue Dam in Rye, New York, about 30 miles north of Manhattan. According to the indictment, Firoozi used publically disclosed vulnerabilities to access the system that controlled the dam’s gate, water levels, and flow rates. If the gate had not been manually disconnected for maintenance reasons, Firoozi would have been able to “remotely operate and manipulate the [dam’s] gate,” which could have released uncontrolled water from the dam.

This attack may be an indicia of future threats to critical water infrastructure. An increasing number of water utilities connect their control systems to other local networks or directly to the Internet to allow operators remote access or simply to save money, without addressing the associated risks. Just last month, the National Infrastructure Advisory Council (NIAC), a group of CEOs convened by the Department of Homeland Security to advise the President on critical infrastructure security, warned that such direct connections “introduce vulnerabilities” into infrastructure systems. An earlier NIAC report concluded that cyber security awareness in the water sector “is often limited,” and the sector suffers from insufficient cyber expertise and lack of “advanced capabilities to adapt to a range of potential threats.” Water infrastructure managers face a “perfect storm” of challenge: legacy technology that is difficult to upgrade, cost pressures encouraging more remote access, and highly constrained budgets to hire qualified cybersecurity personnel.

Prev