Water treatment was named most vulnerable in a report comparing cybersecurity in the energy, chemical, and water sectors. Essential utilities are uniquely targeted by hackers for their proximity to the necessities of civilian life and weak protection protocols. As organizations upgrade to modern smart gadgets, it leaves more opportunities for threats to slip through the cracks, if not properly secured.
This week, Water Treatment 411 provides tools for utilities to fight back against cybersecurity vulnerabilities as we explore the stats, risks, and solutions to these preventable data breaches.
Where is Water Lacking?
Red Sift recently released a report highlighting the cyber vulnerabilities in public infrastructure. The report graded companies on their use of DMARC, domain-based message authentication, reporting, and conformance. After surveying 840 companies across three critical infrastructure sectors, water fell behind its colleagues as most vulnerable. They found less than a quarter (23%) of water companies had full DMARC protections in place. Energy outshined the others with 44.5% full enforcement, and chemical’s usage of 35.7% placed it between the two.
In the age of AI, flagging phishing scams has become increasingly difficult. Where once you could easily recognize a suspicious email via typos or mechanical syntax, now it’s even harder to distinguish false messages from the legitimate. Some software can allow attackers to plug in data, such as old emails or writing, and regurgitate results that mimic the language and mannerisms of trusted senders to trick their victims.
DMARC protocols offer policies at varyingly exclusive levels. The least stringent simply monitors an inbox, flagging potential threats. Quarantine policies redirect those messages to junk and rejection policies block them entirely.
32% of water and waste companies in the Red Sift report had DMARC protocols in place, but with the least strict policies, allowing users to judge messages themselves. Security experts recommend setting policies to “p=reject” to fully block unauthorized emails to prevent the risk of unintentionally giving information and access to hackers.
What’s at Stake?
Cybersecurity is quickly becoming the backbone of all industries as processes become more automated and dependent on human machine interfaces (HMIs) and other smart technology. To worsen matters, essential utilities are especially attractive to hacktivists and other groups who hope to instigate financial gain, disrupt public life or make a political statement through geopolitical disruptions.
While smaller, rural operations may be targeted for their more limited protection, national companies are not immune. In late 2024, American Water, the largest publicly traded water utility in the country, faced a major cyber security incident causing them to temporarily disable their billing system and customer portal. While existing monitoring tools were able to alert and flag suspicious activity quickly, customer systems were inaccessible for over a week as experts worked to contain and resolve the attack.
There are several ways an attack like this can damage a company. In critical infrastructure, public health could be endangered. Disruptions or alterations to operations could leave customers without a daily necessity, or even unknowingly consuming contaminated materials. Users of ransomware may seek a payout while withholding information or operations.
Overall, incidents like these may bring a brand’s reputation and trustworthiness into question, resulting in serious financial loss.
What’s the Next Step?
Leaders in the field may ask, “How can I keep myself, my company and the public safe?”
Experts cite legacy infrastructure and a lack of basic cyber hygiene as a crucial weakness in organizations. Using unique passwords and resetting them as employees enter new roles can prevent incidences. As mentioned before, protocols like DMARC with strict rejection policies can protect from phishing frauds. Take inventory of operational technology and HMIs to secure assets by implementing strong passwords and multi-factor authentication (MFAs). The Environmental Protection Agency also recommends geofencing and network segmentation to prevent widespread attacks.
Staying updated on threats, prevention and resources can be the best defense again cyber-attacks. Seek external support via third party security services to perform routine vulnerability scanning and system upgrades. Develop a response plan to detect and react to threats to minimize damage when incidences arise.
Overall, being prepared and keeping your team informed is the best protection for your organization and community.
