Cybersecurity: Water Utility Security Part 1

Public utilities are a vital part of national and local infrastructure. No corporation, organization, government, or residence can operate for very long without essentials like running water, sanitation, electricity, and communications. Yet in an increasingly computerized and connected world, the convenience associated with these necessities also poses a risk.

The delivery processes for utilities are increasingly automated. Relying on modern software and remote communication is a benefit overall because it makes systems much more efficient. Web-based software and cloud computing deliver highly scalable and reliable management of critical applications at a low cost. With the advent of the “internet of things”, systems can be monitored, diagnosed, and even repaired remotely. Yet these advances also open up new areas of risk. Any system that is not completely isolated on its own network can be remotely hacked.

Who Would Attack a Water Provider?

Public sector organizations like water and wastewater utilities might not appear to be likely targets. Compared to a major retailer, a local water company simply doesn’t process enough transactions to be an attractive victim. The Dallas Water Utility, one of the largest public water utilities in the U.S., has only 300,000 meters in its system. Even the largest private water utility in the U.S. (American Water) only serves 15 million customers. As a comparison, the Target data breach exposed the financial data of 40 million customers and the name and contact information of 70 million more.

But if the goal is disruption of infrastructure rather than profit, hacking a water/wastewater agency’s computer network makes a lot of sense. A city without water could turn into a disaster zone in short order in the event of a security breach. If the cyberattack on a utility managed to damage the infrastructure itself, the results could be devastating for a community or region.

What Challenges Do Water Utilities Face in Preventing Attacks?

For utility companies seeking to increase the security and reliability of services, the very criticality of undisrupted service is a barrier to implementing appropriate safeguards. Banks have been called “too big to fail.” In the same way, utilities might be considered “too essential to take offline for upgrades.” Unfortunately, that way of thinking could lead to disaster.

In Part 2 of this series, we’ll take a closer look at why so few water utilities make security a top priority.