Cybersecurity in the Water Sector: Are You at Risk?
Cyberattacks are a growing threat to critical infrastructure, including water and wastewater systems. The COVID-19 pandemic has given an unprecedented opportunity to cyber attackers to hack and break down organizations’ IT infrastructure. This unauthorized access to water systems has many possible impacts:
- Steal or exploit customer billing information and other sensitive data, including passwords, addresses, critical asset inventory.
- Obtain vulnerability assessment information.
- Make unauthorized adjustments to water system operations.
As we continue to see more and more cyberattacks, water systems should be proactive in assessing their operations for gaps in cybersecurity (vulnerabilities) and make adjustments where possible to reduce the risks of an attack.
Protecting your system starts with conducting an assessment of your utility’s infrastructure so you know how to better protect your assets. Computer system networks are interconnected and can easily transfer or install malicious programs onto your computer. All it can take is a simple click on a bad URL to infect your computer, allowing the hacker to gain access to sensitive information and the larger system. If you haven’t already, consider taking advantage of EPA’s free cyber assessments to help identify where your system could improve cybersecurity.
For quick, easy and effective steps to improve cybersecurity practices, remember to:
- Update your system including firewalls, backup systems, software system, patching.
- Train your employees not to click on suspicious email links.
- Have a plan in place to include a protocol to follow should your system be impacted by a cyberattack. This can be added to your existing community water system emergency plan.
A community water system’s emergency plan is required to address cybersecurity as part of EPA’s America’s Water Infrastructure Act (AWIA) section 2013. This federal requirement pertains to community water systems serving more than 3,300 people; however, it’s good practice for systems of ALL sizes to have a plan for responding to and recovering from a cyberattack that disrupts water system operations. The Small System Risk and Resilience Checklist and the Vulnerability Self-Assessment Tool can assist with identifying malevolent acts like cyber attacks that pose a risk to your system. As you update your emergency plan, be sure to provide NHDES with an updated copy.
When it comes to cyber attacks, it’s not a matter of if, but when. The systems that get hacked are the ones that have weak security practices. NHDES encourages you to update the system software, complete with firewalls, backup systems, software and patches; educate and train staff on not clicking on any links or attachments that could introduce malware; and have a plan in place to be able to work through this emergency if and when it does happen. If you have any questions or would like to learn more, please visit the NHDES emergency planning webpage or contact stephanie.nistico@des.nh.gov at (603) 271-0867.