Thoughts From Engineers: Cybersecurity: More at Risk Than Meets the Eye
As an indicator of how quickly events are evolving lately, by the time this column goes to print, the geopolitical circumstances in which we find ourselves today could be radically changed. What seemed unlikely to occur a few months ago—namely the invasion of Ukraine by Russia—now plays out horrifically before our eyes. The world suddenly is rocked by a senseless humanitarian crisis few could have predicted.
As global norms undergo a seismic shift and tensions rise, risks to a variety of assets—physical, financial, virtual—loom. We’ve long discussed the failing state of much of our country’s built infrastructure. The focus here, of course, is on the integrity and durability of the structures we see—the bridge decks, road surfaces and sewer lines—and the ability of these structures to withstand extreme weather, increasing physical loads and ordinary wear and tear. We also know, of course, that our critical infrastructure is made of much more than this. Modernizing and expanding our water utilities, for example, means increasing capacity and developing digitized industrial control systems (ICSs), which bring all the working parts together and allow utilities to deliver service in the way they were designed.
The threat of cyberattack against critical infrastructure has been percolating in the background for some time. Aside from the occasional surge in media coverage following a high-profile data breach, the scale of the risk and damage that can be done via enemy agent and remote desktop is real. U.S. intelligence agencies consider our nation’s cybersecurity a leading national-security issue with the number of cyberattacks targeting critical infrastructure increasing significantly in recent years. By some accounts, U.S. water utilities experience some form of cyberattack incident daily. The Biden administration is ramping up efforts to get ahead of these threats through a number of proactive measures, but how successful are these tools and technologies likely to be?
Past Incidents as Precursors to Future Threats
In 2021, hackers managed to break into a water-treatment facility serving roughly 20,000 in Oldsmar, Fla. Once “inside” the network, hackers attempted to add hazardous levels of sodium hydroxide to the water supply before the action was intercepted and reversed.
Ransomware has been downloaded in wastewater facilities and water-treatment plants across the country. The City of Atlanta’s Water Department became hostage to a ransomware attack in 2018. Employees were denied access to internal networks, and wireless internet access was shut down because of a successful spear-phishing ploy that downloaded system-disabling malware.
From manipulating treatment and conveyance operation to disabling valves, pumps and other equipment to compromising customer data, the opportunities for cybercrime are endless.
The Workability of New Guidelines
The scale of risk to public health and welfare due to compromised cybernetworks is limited only by one’s imagination. In October 2021, the White House and 30 countries issued a joint statement (bit.ly/WH30Countries) on the threat posed by ransomware, underscoring the scale of collaboration necessary to make a difference: “(A) nation’s ability to effectively prevent, detect, mitigate and respond to threats from ransomware will depend, in part, on the capacity, cooperation and resilience of global partners, the private sector, civil society and the general public.”
This statement coincided with several initiatives launched by the White House in April 2021 to fortify U.S. defenses against cyberattacks targeting critical infrastructure, otherwise known as the Industrial Control System Cybersecurity Initiative (bit.ly/WHCriticalInfrastructure). More than 150 electric utilities and the pipeline sector began adopting technology to monitor and detect cyberattacks through early pilot programs.
In January 2022, the Biden administration’s initiative was extended to the water sector. The Water Sector Action Plan aims to focus on a two-pronged approach: 1) the first set of strategies aims to implement technologies that monitor and detect breaches within system operations in real time; and 2) the second aims to set up a broad notification system in which incidents of breach are shared with relevant public and private agents alike, followed by coordinated analysis, recovery and remedial measures.
The administration emphasizes that the effort requires a “whole-of-nation” response entailing collaboration among numerous actors. Companies such as Apple, Google and IBM recently came onboard with projects ranging from promoting security improvements within supply chains to cybersecurity skill-training programs to helping government agencies upgrade security systems. The EPA recently developed a fact sheet, “EPA Cybersecurity Best Practices for the Water Sector” (bit.ly/EPAcybersecurity). Some of the recommendations include a thorough auditing of IT systems and pinpointing of vulnerabilities, segregating networks hosting different types of data and restricting access to networks, creating contingency and emergency-response plans, requiring employee training in cybersecurity best practices, requiring the regular update of IT systems and practices, and more.
Obviously, many of the issues that account for the nation’s failing physical infrastructure also apply to maintenance of the nation’s ICS systems. Cost is a primary factor. To effectively stay ahead of the “ransomware ecosystem” means making substantial investments in qualified personnel, training programs, and the front- and back-office systems that help water utilities deliver as designed. As the American Water Works Association points out in its publication, “Cybersecurity Risk & Responsibility in the Water Sector” (bit.ly/AWWAcybersecurity), the significant variability in water utility size, ownership, budget and technical experience means implementation of federal recommendations are likely to be patchy at best. Despite these realities, the development of federal performance protocols and goals is an important and timely step toward greater water-sector resilience.
An Unpredictable Era Ahead
For years, the North American continent’s relative geographic isolation seemed to keep the United States apart from conflict and unrest overseas. This obviously is no longer the case, largely because of the digitally connected character of our lives, modes of communication and support systems. Scenarios in which thousands of people are at risk due to the work of a criminal with a keyboard remind me of the standard James Bond storylines I once thought too strange to materialize. But here we are, entrenched in a cyber-universe with implications unfolding by the day, forced to figure out local, national and international strategies to keep cyberthreats with countless points of entry at bay.
About Chris Maeder
Chris Maeder, P.E., M.S., CFM, is engineering director at CivilGEO Inc.; email: [email protected].
