How safe is our water infrastructure from the next cyberattack? Can hackers cripple a large dam or shut off water service to an entire city? Although there has been increased attention and media focus on privacy and data security following recent data breaches and global ransomware cyberattacks, it is important to consider the cybersecurity risks posed to our nation’s vital infrastructure, in particular water management systems. The cybersecurity challenge faced by the water sector is significant. It is defined by challenging vulnerabilities, dedicated and well-resourced threats, and potential consequences that could affect countless Americans and cause severe economic damage. Managing this risk will require concerted effort to, among other things, fix vulnerabilities in legacy infrastructure, cooperate with law enforcement to deter and apprehend cyber criminals, and ensure that the water system remains resilient under even the most challenging conditions.
The risk to water infrastructure is not remote. Cyber criminals, including those affiliated with foreign governments, have already attempted, and in some cases succeeded, in hacking water infrastructure. According to an unsealed New York federal grand jury indictment, in August and September 2013, Hamid Firoozi, an Iranian computer expert with ties to the country’s intelligence agencies, accessed control systems for the Bowman Avenue Dam in Rye, New York, about 30 miles north of Manhattan. According to the indictment, Firoozi used publically disclosed vulnerabilities to access the system that controlled the dam’s gate, water levels, and flow rates. If the gate had not been manually disconnected for maintenance reasons, Firoozi would have been able to “remotely operate and manipulate the [dam’s] gate,” which could have released uncontrolled water from the dam.
This attack may be an indicia of future threats to critical water infrastructure. An increasing number of water utilities connect their control systems to other local networks or directly to the Internet to allow operators remote access or simply to save money, without addressing the associated risks. Just last month, the National Infrastructure Advisory Council (NIAC), a group of CEOs convened by the Department of Homeland Security to advise the President on critical infrastructure security, warned that such direct connections “introduce vulnerabilities” into infrastructure systems. An earlier NIAC report concluded that cyber security awareness in the water sector “is often limited,” and the sector suffers from insufficient cyber expertise and lack of “advanced capabilities to adapt to a range of potential threats.” Water infrastructure managers face a “perfect storm” of challenge: legacy technology that is difficult to upgrade, cost pressures encouraging more remote access, and highly constrained budgets to hire qualified cybersecurity personnel.
Historically, the most common security concern, for the water sector as well as other industries, has been data breaches, including theft of personal information. In a typical example, in August 2017, the city of Oceanside in Southern California fell victim to a malware attack that stole personal and financial information from water utility customers. However, the risk of a cyberattack causing physical damage to a water system is increasingly salient. For instance, in March 2016, it was reported that malicious actors made multiple intrusions into an unnamed water utility (dubbed “Kemuri Water Company”), in which they used a payment system vulnerability to gain access to control computers, altering water flow and treatment-chemical releases. Similarly, in November 2011, a hacker compromised a Houston water utility’s control system protected by a three-character password. In an earlier incident, an employee gained access to the Arizona Salt River Project’s system through a back-up computer’s dial-up modem, allowing him to access personal data and, potentially, canal operations. In 2000, a former project consultant accessed a local Australian utility’s control system and spilled raw sewage, contaminating local waterways and other property. These incidents demonstrate that water systems are vulnerable to remote access attacks and there are individuals or groups with a clear intent to compromise our water infrastructure.
In addition to its unique properties, the water sector is also vulnerable to many of the same techniques that affect other industries: cyber criminals exploit known vulnerabilities in Internet-facing computers, install malicious software through a USB drive or other removable media, or, most frequently, send “phishing” emails to employees loaded with a computer virus. The good news is that these threats can be mitigated. Owners and operators of water systems can develop a cybersecurity remediation plan to ensure that their systems are patched and updated, enforce strong internal controls like barring removable media, and continue to train employees in cybersecurity best practices. Indeed, owners and operators of water infrastructure can develop and exercise a cybersecurity response plan to ensure that their entire management team knows what to do, and who to call, when a cybersecurity incident occurs.
When the Department of Justice unsealed the indictment against Firoozi, then-U.S. Attorney Preet Bharara issued a call to arms for companies charged with operating and protecting critical infrastructure throughout the country: “The infiltration of the Bowman Avenue dam represents a frightening new frontier in cybercrime,” Bharara said in a statement. “Confronting these types of cyber-attacks cannot be the job of just law enforcement. The charges announced today should serve as a wake-up call for everyone responsible for the security of our financial markets and for guarding our infrastructure. Our future security depends on heeding this call.”
Given the potentially devastating effects of cyberattacks and the unique security vulnerabilities of critical infrastructure, these security threats must be addressed. As the National Infrastructure Advisory Council concluded, in addition to government agencies, “[w]ater associations, NGOs, academia, and the private sector—particularly CEOs—must all be engaged and committed to progress” to strengthen infrastructure security. An effective cyber risk strategy requires a full assessment threat, vulnerability, and consequence. There is no such thing as absolute security; it is impossible to protect all data, systems, and infrastructure equally. By focusing on protecting the assets of greatest potential impact, owners and operators of water infrastructure can deploy their scarce resources to the maximum effect.
Information for this article was provided by O’Melveny. O’Melveny can help clients prepare for and respond to legal and financial risks posed by evolving data protection and privacy obligations, including by performing pre-incident counseling, helping manage a response to an incident, conducting internal investigations, and engaging in litigation and regulatory proceedings. O’Melveny can help craft and implement robust and cutting edge security and privacy strategies. Together with the privacy and data security team, O’Melveny’s water practice offers a multidisciplinary team of attorneys experienced in various transactional, regulatory, and litigation matters related to the water and wastewater industries. Indeed, the firm’s attorneys with expertise in environmental law, land use, privacy, and regulations, work seamlessly to assist clients in assessing the feasibility and risk of proposed projects, effectively documenting transactions, evaluating and navigating political and regulatory challenges, and related litigation. For more information, please contact Matt Kline at [email protected].