Rising Tide of Risk: The Urgent Call to Safeguard Our Water Systems from Cyber Threats

May 21, 2024

Rising Tide of Risk: The Urgent Call to Safeguard Our Water Systems from Cyber Threats

Untitled design (48)

By Daniel Brunner | Chief Operating Officer | Brunner Sierra Group

Cyberattacks on critical infrastructure have escalated in recent years, with water systems increasingly becoming a target for malicious activities. As these attacks pose significant threats to public health and safety, the urgency for utility companies to bolster their cybersecurity measures has never been more critical. The Environmental Protection Agency (EPA) has issued warnings and guidelines to help these entities enhance their resilience against potential cyber threats.


Water systems are vital to community well-being, providing essential services that impact every aspect of daily life. However, the inherent vulnerability of these systems makes them susceptible to cyber intrusions that could disrupt water supply, contaminate water quality, or even cause system-wide failures. The consequences of such events could be catastrophic, ranging from health crises due to unsafe drinking water to severe economic impacts stemming from the disruption of daily operations.


The EPA has recognized the increasing frequency and sophistication of cyberattacks targeting these utilities. In response, it has urged water utility companies across the nation to adopt more robust cybersecurity practices. These include conducting regular security assessments, implementing real-time monitoring, and ensuring that all staff are trained on cybersecurity best practices. The agency emphasizes the importance of a proactive approach, suggesting that waiting until after an attack has occurred is too late and the damage could be irreversible.


To guide utility companies, the EPA has developed a set of standards and best practices that are designed to shield water systems from cyber threats. These recommendations stress the importance of upgrading outdated systems that are more vulnerable to attacks, employing advanced encryption methods, and establishing strict access controls. Furthermore, the EPA advocates for the creation of incident response plans that are ready to be executed the moment a threat is detected, ensuring a swift and coordinated action to mitigate any damage.


Cyberattacks on water systems can manifest in various ways, each posing unique threats to the operation and safety of these essential services. For instance, ransomware attacks have been known to lock out utility operators from their control systems, demanding hefty ransoms to restore access, as seen in the case of a water treatment facility in Florida where hackers attempted to increase the sodium hydroxide levels in the water supply. Another type of attack involves SQL injections, where attackers exploit vulnerabilities in outdated software to manipulate water treatment processes and disrupt service delivery. Phishing attacks target utility employees, tricking them into divulging login credentials which attackers use to gain unauthorized access to secure networks. Additionally, Distributed Denial of Service (DDoS) attacks can overload the network servers of water facilities, leading to shutdowns that halt operations and potentially result in service outages for thousands of customers. Each of these scenarios demonstrates the critical need for robust cybersecurity measures in protecting water systems from potential threats

Rising Tide of Risk The Urgent Call to Safeguard Our Water Systems from Cyber Threats (1)

The need for increased cybersecurity in water systems is also driven by the integration of Internet of Things (IoT) devices into critical infrastructure. These devices often improve efficiency and monitoring capabilities but can also open new avenues for cyberattacks if not properly secured. The EPA warns that each connected device potentially serves as an entry point for hackers, making it imperative that they are secured and regularly updated.


In addition to technological solutions, the EPA also emphasizes the importance of collaboration among federal, state, and local authorities, as well as between different utility providers. This collaborative approach can lead to the sharing of threat intelligence, best practices, and other resources that can enhance the overall security posture of the water systems sector.


Moreover, the EPA is actively working with other federal agencies to ensure that water utilities have the necessary funding to implement these critical cybersecurity measures. Grants and financial aids are made available to help smaller utilities, which often lack the resources to invest in comprehensive cybersecurity infrastructures.


Public awareness is another critical component of the EPA’s strategy. By educating consumers about the importance of cybersecurity in water systems, the agency aims to foster a more informed and vigilant community that can support the efforts of utility companies in safeguarding their infrastructure.



In conclusion, the increase in cyberattacks on water systems is a pressing issue that requires immediate and decisive action from utility companies, supported by guidelines and resources from the EPA. By adopting advanced cybersecurity measures, enhancing collaborative efforts, and fostering public awareness, the resilience of America’s water systems against cyber threats can be significantly strengthened, ensuring the safety and reliability of water services for all.