A team of researchers at the University of Illinois Critical Infrastructure Resilience Institute (CIRI), a Department of Homeland Security (DHS), Center of Excellence (COE), are developing technology to help protect the more than 150,000 water treatment facilities in the U.S. from cyberattacks that could disrupt Americans access to safe drinking water.
In the last year alone, hackers with ties to Iran, Russia and China have targeted water treatment plants in Pennsylvania, Texas, and Kansas. Fortunately, the attacks were thwarted when operators at the mostly rural treatment facilities caught the incursions and switched their equipment and systems to manual mode before any harm could be done.
The CIRI team is adapting a DHS/CIRI-developed software application that will make it easier for water system owners and operators to achieve and maintain conformance to national cybersecurity standards and best practices in response to persistent and rising cybersecurity threats.
However, water treatment facilities—like other critical infrastructure entities that have undergone digital transformation—remain vulnerable to attacks that could disrupt, disable or contaminate drinking water supplies.
In 2023, the Environmental Protection Agency (EPA) issued requirements for water systems to self-assess their cybersecurity practices. Those requirements were identified in the Water Cybersecurity Assessment Tool (WCAT) released by the EPA.
Water industry groups and others won a court injunction to block the EPA rules implementation claiming the EPA failed to follow proper public comment procedures prior to their release and that the rules placed burdens on under-funded and under-resourced water systems.
“The smaller [facilities] typically don’t have the personnel or the proficiency to really address the demands placed upon them by the EPA,” said team member Danny Reible, the Donovan Maddox Distinguished Engineering Chair at Texas Tech and renowned authority on contaminants in water and the natural environment. “They’re focused on making sure the water is safe enough to drink.”
Reible added: “But if they had access to something like a dashboard, then they’re not doing it alone. They’d have user-friendly tools and resources developed by cybersecurity professionals that they can use to assess their systems and operations and to effectively establish and manage a plan of action to achieve and maintain adherence to the requirements.”
Conformance to cybersecurity standards and best practices is a key element in establishing and maintaining an effective cyber risk management process.
“Given today’s heightened threat levels, increased connectivity and system interdependence, stakeholders—such as regulators, government oversight bodies, insurance carriers, and prime contractors—are increasingly demanding that owners and operators maintain and report adherence to recognized cybersecurity standards and best practices,” said Randy Sandone, CIRI executive director. “This project is intended to reduce the burden on water system operators as they do just that.”
The Cyber Security Framework (CSF), developed by the National Institute of Standards and Technology (NIST) was specifically designed to help critical infrastructure owners and operators (such as water systems) manage and mitigate cybersecurity risks.
“NIST built some gold standard methods to measure, audit and implement the security posture of any IT or OT systems,” said team member Karthik Balasubramanian, president of cybersecurity consulting firm Karthik Consulting. “What we are doing in the project is adapting the NIST CSF to the water systems domain and delivering a solution that makes it easier, faster, and less costly for water systems to implement and maintain adherence to cybersecurity requirements.”
“We believe our project will deliver a welcome solution for the water systems community – allowing owners and operators of water systems large and small to easily and accurately assess their cybersecurity postures and to develop and manage the full range of activities necessary to achieve, maintain, and report status and progress toward full compliance with requirements,” said Reible.
Sandone added: “As a Department of Homeland (DHS) Security Center of Excellence, we’re focused on developing a solution that will satisfy the entire community—from EPA to DHS to the water systems utilities themselves—so we as a nation can improve and enhance the security and resilience of our water systems on behalf of the American people.”