Bacteria isn’t the only thing threatening our water supplies. Recent survey data reveal how water utilities are not as prepared to prevent cybersecurity incidents. Fortunately, several recommended solutions, including enhancing password security, help to strengthen utility digital infrastructures.
Building up water utility resilience usually involves environmental or sustainability-focused objectives such as mitigating risks from climate change. However, industry leaders now consider cybersecurity as a critical part of current and future operational planning.
A survey conducted by the Water Sector Coordinating Council in June of 2021 found that most water utilities were not prepared to prevent cybersecurity incidents. Takeaways from the survey demonstrate an urgent need to improve preparedness programs, including:
32% of respondents don’t conduct cybersecurity risk assessments or know if they conduct cybersecurity risk assessments
38% allocate less than 1% of their budgets to information technology (IT) cybersecurity, while 45% allocate less than 1% to operational technology (OT) security
64% of respondents said that their utility does not employ a Chief Information Security Officer (CISO) or equivalent
42% of respondents do not have a cybersecurity awareness program
Only 22% of respondents have implemented cyber protection efforts that are monitored regularly
The challenges don’t stop there. Water utilities often use outdated IT equipment, and frequently lack skilled IT and operational resources to help mitigate cybersecurity risks. This amplifies the need to take steps to harden cybersecurity, especially as more incidents come to light.
Several water treatment plants across the United States have recently experienced cybersecurity incidents. In the winter of 2021, a water treatment plant in Florida reversed a potentially deadly attack when hackers breached the operational technology system and manipulated chemical levels in the local drinking water supply. The hackers gained access through reused passwords. Thankfully, an observant operator quickly fixed the settings and prevented a tragedy. Better password security could have helped prevent the situation.
A report by the American Water Works Association (AWWA) highlights ways to manage cyber threats by implementing several cybersecurity initiatives, to name a few:
Credential management: Reused credentials almost led to a disaster in the Florida water treatment plant incident mentioned above. The AWWA report recommends using strong passwords and even adding certain credential controls to limit access to the most critical systems.
Role-based access controls: By limiting user access based on necessity, utilities maintain control over sensitive systems. Monitoring log events provides additional protection.
Cybersecurity training: Building employee awareness around cybersecurity best practices creates a more advanced security culture.
Cybersecurity Incident Response Plan (CIRP) development: An essential part of a security response playbook includes planning for incidents and identifying potential security breach risks such as reused passwords. CIRP documents help reduce potential damage from an incident by guiding administrators on how to respond quickly.
Water utilities can implement some of the recommendations presented above immediately, contributing to more advanced cybersecurity programs. For example, an enterprise-grade password manager supports some of the major recommendations outlined by the AWWA report, including delivering better password security, providing additional access controls, helping to train employees in cybersecurity practices, and supporting CIRP protection strategies.
Water utilities can easily implement tools such as the Bitwarden password manager to help protect against cybersecurity threats. With flexible features such as password policies, water utilities can meet certain security requirements for items such as helping employees generate long, complex, and unique passwords, and enabling two-factor authentication where possible.
Start a 7-day Free Enterprise Trial to see Bitwarden in action!