Skip to main content

Overcoming Cybersecurity and Interoperability Challenges in the Water Sector

By Iishi Patel

Cybersecurity threats to drinking water and wastewater systems have been a growing concern in recent years. The increasing use of automation and technology integration in these systems has made them more vulnerable to cyber attacks, potentially putting public health and safety at risk. There are more than 52,000 community water systems in the United States, and most are run by local governments, many of which are very small and may not have the resources to improve their cybersecurity.

In February 2021, a hacker gained unauthorized access to a water treatment plant’s computer system in Oldsmar, Florida. The hacker raised the level of sodium hydroxide in the water supply, which could have caused serious health problems if not detected and reversed quickly. Since then, many states have issued alerts to water systems and taken steps to improve their cybersecurity measures. However, small water utilities often lack the resources to ensure their cybersecurity is strong, and there are concerns that insiders could also pose a threat.

The Water Data Forum’s latest episode, held on March 9, 2023, focused on cybersecurity and interoperability challenges faced in the water sector due to the adoption of digital capabilities, with an emphasis on developing national databases for water pipes, implementing AI, and minimizing cybersecurity risks. In the panel discussion on intelligent water systems, experts from various fields came together to share their insights and experiences. The focus was on the challenge of creating a national database for water pipes, which requires collecting data from various utilities in different formats and using different software. The speakers emphasized the need for data to be standardized, interoperable, and accurate to enhance service delivery and ensure that data analysis provides useful knowledge and wisdom. Dr. Sunil Sinha, the Director of the Sustainable Water Infrastructure Management (SWIM) Center at Virginia Tech, proposed that the water sector in the USA can learn from other advanced sectors such as transportation and smart electric grids to speed up their adoption of data-related standards and interoperability models to ensure swift adaptation of cybersecurity practices.

Additionally, in November 2022, the National Cybersecurity Center of Excellence (NCCOE) announced the formation of a group dedicated to securing the water industry from cyber threats. The NCCOE seeks guidance from the industry and has created cybersecurity best practices for the water sector. The organization’s goal is to offer education, testing, and complementary resources to support the water industry in developing stronger defenses against cyber attackers.

The Biden-Harris Administration has extended the Industrial Control Systems (ICS) Cybersecurity Initiative to the water sector, with the Water Sector Action Plan outlining actions to improve cybersecurity over the next 100 days. The plan will assist owners and operators in deploying technology that provides cyber threat visibility and sharing cybersecurity information with the government and stakeholders. The plan will initially focus on utilities serving the larger populations but will lay the foundation for enhanced ICS cybersecurity across water systems of all sizes.

Overall, when it comes to designing a cybersecurity strategy for the water sector, it is important to assess the organization’s current ability to manage people, processes, and technology, and determine their level of maturity. After this understanding, we need to secure the organization’s data with a focus on asset management, data integrity, remote access, and network segmentation and aim to align business needs and cybersecurity requirements. Hence, interoperability and cybersecurity should be viewed as complementary rather than separate, with increased interoperability potentially leading to improved cybersecurity. However, to implement these kinds of strategies on a national level, there is a need for a common methodology and standards for the water sector, which can be achieved through standardized system engineering. It is suggested that academic institutions and professional associations collaborate to lead the development of these standards.

Get Involved

Join the upcoming Water Data Forum webinar on June 16, 2023, which will be focused on a cross-sector discussion of wastewater surveillance for public health.

Contact the MBDH to learn more, or if you’re aware of other people or projects involved in water data and cybersecurity that we should profile here. We invite participation in any of our community-led Priority Areas. The MBDH has a variety of ways to get involved with our community and activities.

The Midwest Big Data Innovation Hub is an NSF-funded partnership of the University of Illinois at Urbana-Champaign, Indiana University, Iowa State University, the University of Michigan, the University of Minnesota, and the University of North Dakota, and is focused on developing collaborations in the 12-state Midwest region. Learn more about the national NSF Big Data Hubs community.

Agroterrorism: Cybersecurity Incidents Affect Agriculture and Water

By Raleigh Butler

You may not think that agriculture and cybersecurity, both themes of the Midwest Big Data Innovation Hub, are linked, but recent events demonstrate there are connections between the two that pose risks to our food security.

The “food and agriculture” industry is publicly defined as a critical infrastructure sector by the U.S. Department of Homeland Security. The Cybersecurity & Infrastructure Security Agency (CISA) states that food and agriculture is one of sixteen essential critical infrastructure sectors that provide “the essential services that underpin American society and serve as the backbone of our nation’s economy, security, and health. We know it as the power we use in our homes, the water we drink, the transportation that moves us, and the communication systems we rely on to stay in touch with friends and family.” Those statements highlight the urgency of building robust cyberinfrastructure to prevent massive disruptions to crucial public services.

A recent cyberattack targeting an Iowa-based agriculture company called New Cooperative illustrates the severity and consequences of those incidences. The group claiming responsibility—BlackMatter—deals in blackmail, Reuters reports. The hackers from BlackMatter locked New Cooperative’s access to data that support the food supply chains and detail the feeding schedule of the livestock. In order to get access to the decryption key for its data and reinstate their farming activities, New Cooperative was ordered to pay $5.9 million.

As Bobby J. Martens, an associate professor of Economics at Iowa State University was quoted as saying, “This event wasn’t long enough to cause a change in the commodity price, but certainly it will have ramifications in terms of the food supply system. If they do it to this company, they could do it to one of the majors. They can block the food chain. They attacked in the heartland of all agriculture. It’s a new form of terrorism.”

Regardless of the source, and whether it is purposeful or accidental, a failure in any other critical sector could be life threatening for US citizens. For example, Water and Wastewater Systems is a related sector on CISA’s list, and in fact, water system attacks did occur early in 2020, the most prominent being the Oldsmar, Florida attack of February 16. While the breach nearly allowed a mass poisoning to occur, the mayor viewed the event as a “success.” According to ProPublica, cybersecurity experts view the breach not as a success, but instead as a “frightening near-miss.” Retired Admiral Mark Montgomery, a panelist on the MBDH Water Data Forum webinar on water and cybersecurity in May 2021, was quoted as saying, “Frankly, they got very lucky. They averted a disaster through a lot of good fortune.”

Nontechnical companies are extremely vulnerable to cyberattacks. According to the 2020 state of ransomware report, manufacturing, government, services, and healthcare are among the top sectors prone to cyberattacks. This link leads to this report from a company called BlackFog, a leading company in ransomware protection.

Moving forward, it is possible for businesses and governmental sectors to make cybersecurity an integral part of their practices. Even seemingly trivial data maintenance, such as regularly backing up data in multiple storage devices and encrypting data during transfer, can improve data security in the long run. The key is to operate under the mindset of protecting data and to be more intentional about data protection at any point. The U.S. National Institute of Standards and Technology (NIST) and CISA developed the NIST Cybersecurity Framework, a comprehensive approach to security for critical infrastructure, and there are subsets of that work to support small businesses and other organizations with cybersecurity risks that may not have extensive resources.

On the management level, designated information security officers can build more secure databases and data management systems. The information security officers can also perform routine testing for weaknesses in the existing systems. They could also work with the risk managers to develop preventative measures in case of cyberattacks. Other preventive measures include purchasing cyber insurance.

An additional benefit of developing systems for monitoring and collecting data is the ability to assess the impact of other external events. We previously published a story on how researchers were assessing the spread of COVID-19 by examining the relative levels of the virus in wastewater systems. Since many infrastructure systems, such as agriculture, water, and food, are an interconnected web of dependencies, threats to one can have cascading impacts across others. For academic organizations that manage research data repositories, the MBDH and its partners developed a guidance document on data security for open science, through our Trustworthy Data Working Group.

Get involved

Do you have a cybersecurity success story or case study to share from your organization? Contact the Midwest Big Data Innovation Hub if you’re aware of other people or projects we should profile here, or to participate in any of our community-led Priority Areas. The MBDH has a variety of ways to get involved with our community and activities.

The Midwest Big Data Innovation Hub is an NSF-funded partnership of the University of Illinois at Urbana-Champaign, Indiana University, Iowa State University, the University of Michigan, the University of Minnesota, and the University of North Dakota, and is focused on developing collaborations in the 12-state Midwest region. Learn more about the national NSF Big Data Hubs community.