Cyber criminals have been increasingly targeting water facilities in the United States, including 150,000 public water systems. This growing threat has prompted more attention and policies focused primarily on improving cybersecurity.

Water and wastewater systems are among the 16 Critical Infrastructures of the U.S. This category is defined as an industry that is so vital to the United States, that “the incapacity of or destruction of these systems and assets will have a debilitating effect on security, economic security, public health or safety, or any combination thereof.”

According to the X Force Threat Intelligence Index, companies, including water facilities, ranked 4th in terms of industries targeted, accounting for 11,1% of all attacks. Malware was the most common attack type (43%), followed by ransomware. North America was the second most affected region in the world, with 22% of all attacks. This is behind Europe, who experienced 43%.

Cyberattacks on water facilities are increasing

Concerns grew after a number of attacks on water facilities. The drinking water was not compromised by any of the attacks. In October 2023, an Iranian-backed cybergroup attacked one of the Municipal Water Authority of Aliquippa ‘s booster stations . According to a December 1, 2023 alert, IRGC cyber-actors accessed multiple U.S. wastewater system facilities starting November 22, 2023. Threat actors gained access to those facilities, which run Unitronics vision series PLCs, by using compromised passwords.

In a recent cent Wall Street Journal article , Frnk Ury said that “a main concern is that hacker are lying dormant within water facilities’ systems”. He also stated that a coordinated assault could target multiple areas simultaneously to increase the damages and prevent the appropriate warnings. Santa Margarita Water District, like many other water facilities, does not have a chief information security officer. Ury also shared that only 15% of the technology budget for the facility is allocated to cybersecurity.

Read the Threat Intelligence Index

Concerns prompt federal government action

CISA , in response to the increased focus on wastewater facilities, released an Incident Response Guide specific for the wastewater sector, in January 2024. The guide identifies potential cybersecurity solutions, as well as varying levels of cyber maturity. The IRG contains information about federal roles and responsibilities in relation to each stage of cyber incident response. This guide can be used by operators to establish baseline standards and create stronger incident response plans.

The government has also been in contact with the states about the risks to this industry. According to a letter sent to all state Governors in March 2024 by EPA Administrator Michael Regan, and National Security Adviser Jake Sullivan, many water facilities lack even basic cybersecurity measures, such as resetting the default passwords or upgrading software to address known vulnerabilities.

The letter asked governors to assess current cybersecurity practices in order to identify any significant weaknesses, implement practices and controls where necessary to reduce cybersecurity risk, and to exercise plans for preparing for, responding to, and recovering from a cyber event.

In April 2024, Representatives Rick Crawford (R., Ark.) Representatives Rick Crawford (R., Ark.) proposed a law to create the Water Risk and Resilience Organization, a governing organization that will develop cybersecurity mandates for drinking and wastewater systems. The WRRO’s goal is to work with EPA to develop cybersecurity requirements for drinking water and wastewater systems.

“Foreign adversaries such as Russia and China have used cyberattacks to target vital infrastructure such as water systems. This bill takes a proactive approach to protecting our drinking water and wastewater systems from these types attacks. These protections are essential in a time when cyber threats are constant, and technology is rapidly evolving,” Rep. Crawford stated in the announcement.

Continue Reading