By Michael Yehoshua

On October 23, toothpaste maker Colgate and world champion swimmer, Michael Phelps, the ambassador for the company’s Save Water initiative, headed over 1,100 organizations across the United States for the fifth annual ‘Imagine a Day without Water’. The annual nationwide education initiative was created by the US Water Alliance and it Value of Water Campaign to raise awareness of the importance of the country’s water supply and the infrastructure that maintains it.

The coverage of the nationwide water awareness day focused on ways to conserve water in the context of long-term fears concerning the future of the planet’s supply of freshwater in the light of global warming. But nothing was reported concerning a far more imminent threat to the US water supply – that of crippling cyber-attacks directed by hostile nation-states and organized groups of cybercriminals.

While there are now calls for the US Congress to make rulings designed to protect the power grid from cyber-attacks and many warnings been written about the horrors of a city deprived of its power and rapidly descending into chaos, the vulnerability of vital water utilities has hardly been discussed at all.

But water utilities are as vulnerable to cyber-attacks as power stations and the effects of disrupting a city’s water supply could be more devastating than cutting off its electricity. After all, people lived for hundreds of thousands of years without access to electricity. But in all humanity’s long past, no-one has ever been able to survive more than a few days without water. Toilets and sewage systems also depend on constant water supply. Cyber-attacks designed to damage infrastructure in such a way as to stop or pollute the water supply could make great cities almost uninhabitable for weeks on end. Farming regions are also heavily dependent on water supplies for irrigation and cyber-attacks aimed at agricultural regions could even impact the country’s food supply.

An orchestrated attack on the US water supply sponsored by a hostile nation-state would wreak untold chaos on a target country’s economy and way of life, the primary aim of cyberwarfare. Alternatively, financially hacker groups could hold authorities and even countries to ransom by executing targeted malware attacks on water utilities.

Water utilities typically have outdated cybersecurity in place that has not kept pace with the age of the internet. Where critical infrastructures once used stand-alone IT systems and operations were largely mechanical, water utilities are becoming increasingly digitalized while also embracing the Internet of Industrial Things (IIoT). In the interest of efficiency and cost-effectiveness, third-party contractors are now also frequently used for mission-critical functions. All these innovations carry an unseen price. They leave the utility open numerous threat vectors.

It is now a matter of national urgency that water utilities extend their cybersecurity perimeters immediately with modern Twenty-First Century defenses designed to stay a step ahead of state-sponsored hackers and criminal gangs. SCADAfence technology and procedures, for example, allow water utilities to identify and examine exposures and security gaps before attacks can occur. Network maps, statistics and dashboards are designed to fit from the smallest network to those with thousands of assets. SCADAfence is now partnering with Fortinet’s FortiGate VPN functionality to allow secure remote connectivity to industrial facilities and crucial infrastructure such as water utilities. Part of the process must also include including monitoring of internal traffic on the system and being able to instantly disconnect or disable a remote session if the user is performing actions that deviate from company policies, learned behavior, or rule-based engines from inside the SCADAfence platform.

On October 23, Michael Phelps, the most decorated Olympic athlete of all time, urged the American people to “try and imagine a day without water.” Unless America starts to secure its water utilities against cyber-attacks, their imaginings could become a grim reality for many – and far sooner than Phelps, Colgate or the climate activists anticipate.

About the Author
Michael Yehoshua is the global VP of marketing at operation technology (OT) cybersecurity company SCADAfence.