The water and wastewater sector is perhaps the most important industry that’s barely ever thought about until something goes wrong. It’s so central to modern life, however, that threat actors have started to focus their attention on the sector. This is also true because the water and wastewater sectors are highly fragmented, and some providers lack the resources necessary to truly secure their critical infrastructure. 

This lack of resources has resulted in utilities falling short of needed actions to secure their systems. According to a recent warning from the Environmental Protection Agency (EPA), 70% of water utilities the agency inspected over the past year violated standards meant to prevent breaches or other intrusions.

Similarly, there are estimates that the U.S. will spend $271 billion over the next 20 years on wastewater infrastructure to ensure it can meet demand over the long term. Effective wastewater treatment is vital for long-term community health, as well as for tracking disease patterns. 

Securing this sector is vital to maintaining modern society. Regulators have paid more attention to the industry, with the U.S. Environmental Protection Agency (EPA) recently sending a letter to state governments asking for their cooperation in securing this infrastructure. With good reason, the sector has faced many notable attacks that make clear the seriousness of the issue. 

Attacks Facing Water and Wastewater Facilities Demonstrate the Risks

Adversaries have paid substantial attention to water and wastewater facilities in recent years. There have been many examples of attacks against water and wastewater facilities, including: 

• The January 2024 attack on the Muleshoe, Texas, water system was noticed when an alert citizen was driving past a park and saw a water tower overflowing. Authorities discovered that the system controlling the water supply had been hacked, and in about two hours tens of thousands of gallons of water flowed into streets and drain pipes. In April 2024, Mandiant said that the attack may be linked to one of the most dangerous Russian government hacking groups. This has yet to be proven, but is nevertheless concerning. 
• The Municipal Water Authority of Aliquippa in Pittsburgh had to shut down its OT systems after a cyberattack from the Iran-backed group “Cyber Av3ngers” on one of its booster stations. The attack shut down equipment that monitors water pressure at the station, forcing the water company to switch to manual monitoring. 
• At least 10 more water facilities throughout the United States were hacked through the same method the Cyber Av3ngers used to breach the Aliquippa water company, according to federal investigators. The devices that the Iranian group shut down were manufactured in Israel and displayed a message that said all Israeli tech is fair game for the Cyber Av3ngers. 
• The Municipal Water Division of Oldsmar, Florida, had to defend against a poisoning attack. Someone hacked into a utility control network and raised levels of sodium hydroxide to over 100 times their normal concentrations. Sodium hydroxide is dangerous in large quantities but is safely used in everyday water treatment. An operator who noticed the hack in real time – by seeing his mouse cursor move by itself – stopped the chemicals from reaching the water supply. 
• Groups associated with the Iranian Revolutionary Guard carried out attacks against critical infrastructure companies, including drinking water systems, in November 2023. At least one water facility was hacked through a Unitronics Programmable Logic Controller (PLC). The technology manager at the hacked water facility forgot to change a default password. 
• Volt Typhoon, a state-sponsored cyber group in China, compromised the IT of a lot of different critical infrastructure systems. This includes water and wastewater systems in the U.S. and its territory. Federal departments and agencies have said that Volt Typhoon actors seem to be positioning themselves to disrupt critical infrastructure operations in case of political challenges.

These are just a few of the cyberattacks that wastewater systems may face over time. As more technologies are used in these facilities, including Internet of Things (IoT) sensors, it becomes imperative for defenders to make better choices about how to protect their critical systems. 

Key Methods to Improve Water & Wastewater IT and IoT Security

Although it has not been publicized if insecure IoT devices were the cause of these attacks, IoT devices are vital to delivering on the promise of water and wastewater facilities. These systems are difficult to monitor without remote sensors sending constant telemetry back to a central location for analysis. 

These sensors can measure water quality, monitor for dangerous levels of chemicals, or even alert workers to potential problems. IoT equipment may also be used to track pathogens in wastewater, allowing for improved public health tracking. Wastewater measurements are still a useful way to track COVID-19 levels in a community. That makes securing them vital to maintaining the mission of this critical industry. 

To ensure that IoT devices and IT infrastructure remain secure, water and wastewater facilities need to: 

• Create and maintain an asset inventory for all technology. Understanding what devices are connected to the network and discoverable on the open internet is a key first step in securing water and wastewater facilities. Once that inventory is created, security teams can more readily decide which assets to prioritize for protection. 
• Monitor for anomalous behavior in IoT and IT equipment. An IoT, OT, or IT asset suddenly communicating with an unknown IP address could be a sign of an attack in progress. Being able to quickly ascertain if that’s happening or not is potentially huge, especially for incident response.  
• Prioritize vulnerabilities based on actual risk. Not all vulnerabilities are created equal. Security teams need a solution that can inform them how an attacker could use a real weakness to compromise their systems. Once they know that, they can decide which vulnerability to patch in a more strategic manner. 

There are more steps to securing critical infrastructure, of course, but understanding the assets on a network and taking steps to monitor the most vital ones can go a long way toward ensuring long-term security. 

How Asimily Supports Water and Wastewater Security 

The Asimily platform is designed expressly with IoT devices in mind. It’s built to monitor traffic to and from IoT equipment, such as remote water pressure sensors, and surface anomalous behavior that might indicate an attack. Multiple protocols, including Profinet, are supported. By doing this, Asimily ensures that security teams have early warning. 

Asimily also provides vulnerability information on high-risk weaknesses with our proprietary algorithm. The data included in our Asimily algorithm includes information such as the EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. 

Asimily’s patented machine learning algorithm and scanning technology build asset inventories automatically, including key information about each IoT device on the network. This empowers security teams with information about what connected equipment is readily discoverable and insight into the type of device attached to the network. 

Ultimately, Asimily customers gain peace of mind from knowing what systems are attached to their networks and which ones need the most mitigations. With this insight, as well as improved monitoring, Asimily customers make better decisions and defend their vital systems more cohesively. 

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.