The water sector quietly began preparing for a possible onslaught of cyberattacks from Russia more than two months ago, when rumblings of an invasion of Ukraine were being discussed at the White House.
Today water utilities across the country are girding for online attacks and misinformation campaigns that could lead to drinking water contamination, service disruptions and demands for ransom.
“We don’t have any evidence that anything has taken place, or any proof that something will take place,” said Michael Arceneaux, chief operating officer of the Association of Metropolitan Water Agencies and the managing director of WaterISAC, the sector’s threat sharing organization.
“Russia pretty much has the capacity to do what it wants to do, just like [the National Security Agency] has the capacity to do what it wants to do,” Arceneaux continued. “Whether they do it or not is another question, and which target they pick is another question as well.”
Before Christmas last year, EPA and WaterISAC began sending out joint advisories, calling on water utilities to be on high alert and beef up staff on weekends and holidays, said Arceneaux.
“Some people thought that that was an ideal time for a nation-state like Russia to start [impacting] U.S. asset owners and operators,” he said, adding that nothing happened over the holidays but the federal government is once again calling on operators of critical infrastructure to beef up their responses and use of best practices.
On Friday, top White House officials warned U.S. companies to brace for possible cyberattacks — specifically mentioning the water sector — and cited hackers disrupting Ukraine targets.
Anne Neuberger, deputy national security adviser for cyber and emerging technology, told reporters the U.S. government has been focused on shoring up protections for critical infrastructure and began preparing for possible retaliatory cyberattacks from Russia “since before Thanksgiving” (Energywire, Feb. 23).
Neuberger said at the time that there were no known “specific or credible cyberthreats” to the U.S., but added the government is keeping the focus on critical systems including the water sector.
“So, generally, as we look at ourselves as a society, we know that critical infrastructure is our focus — to rapidly improve our domestic resilience because of the degree to which critical services like power and water touch citizens across the United States,” she said.
“Particularly, power, communications and water have been a clear focus because of the fact that they touch Americans’ lives and because of the need to address the fact that these sectors digitized quickly, and we need to catch up from a security and resilience [standpoint], which we have made significant progress on in this first year,” she said.
In January, the Biden administration unveiled a 100-day action plan — a voluntary strategy — to increase protection of water systems from attacks like those that crippled the Colonial oil pipeline and meat giant JBS last year (Greenwire, Jan. 27).
The multiagency strategy was an extension of President Biden’s Industrial Control Systems (ICS) Cybersecurity Initiative, a collaboration between the government and industry that has already been used to deploy cybersecurity technologies and increased monitoring among electric utilities and pipelines.
A number of water utilities last year experienced increasingly sophisticated cyberattacks on their systems that, in some instances, led to demands for ransom (Greenwire, May 21, 2021). When it comes to energy and water systems, hackers force companies to halt operations or go offline and then demand payments to unlock computers and get plants back up and running, a growing and lucrative business.
Vulnerabilities at water utilities vary, Arceneaux said, with smaller providers with less bandwidth and resources unable to recover as quickly from an attack.
Arceneaux said it’s critical that water utilities be vigilant and use strong and unique passwords and multifactor authentication to prevent access by third parties. They should also be able to operate manually and should follow best practices, including bringing on surge support to get up and running after an attack.
And while there are no known instances of Russian hackers penetrating U.S. water systems, he said the simple threat or presence of hackers can interrupt operations, noting that the Colonial pipeline shut down out of an abundance of caution after its systems were hacked.
“I’ve heard senior DHS officials say that all critical infrastructure should assume Russia and other nation-states have been in your systems, stealing your data, just looking around, seeing what they could do if they wanted to do it,” he said. “It’s more of a nuisance, a scare tactic kind of campaign, which is nevertheless very destructive.”
Reporter Christian Vasquez contributed.