Of the key critical infrastructure sectors across the United States, one of the most vital to the life and safety of Americans is the water and wastewater sector. The provision of a safe, clean, and always-on water supply coupled with reliable water treatment systems keeps our economy functioning and supports healthy communities. There are nearly 153,000 public drinking water systems and 16,000 publicly owned wastewater systems providing this important service across the country, so the physical and digital security of these services is paramount.  

Focusing on the digital risk to these systems, the Environmental Protection Agency (EPA) sent a letter to governors in March 2024 stressing the need to better safeguard the nation's water and wastewater systems from cyberthreats. This call to action highlighted the growing awareness of real risk and urgency of action at the highest levels of government. The EPA shed light on our water infrastructure vulnerabilities and the catastrophic results that might follow. It specifically pinpointed three key issues: aging infrastructure, a lack of cyber hygiene, and the need for collaboration. The primary concern was rooted in the use of outdated technologies vulnerable to cyberthreats coupled with gaps in routinely applied cybersecurity practices like software updating and patching.

These concerns are not theoretical. A case in point is the cyber intrusion on the water system in Muleshoe, Texas. The attack, which occurred one month after the EPA letter, disrupted water services and revealed weak spots within the local water infrastructure. Self-identified threat actors from Russia exploited a vulnerability in the water facility's staff remote access system, disrupting the water supply for several hours and affecting thousands of residents. Local officials and cybersecurity experts joined efforts to limit the damage and restore service, but the attack further raised the urgency for better preparation and response. Other recent attacks on water systems have occurred in Arkansas, Pennsylvania, and Florida.

Following the Texas incident, the EPA issued an enforcement alert noting that some water systems are out of compliance with the Safe Drinking Water Act requirements associated with cybersecurity best practices. Key findings showed that cybersecurity weaknesses in systems, such as outdated and under-equipped systems and poor login security, are high-value targets for disruption. Outdated technology is summarized as a crucial factor, along with weak security practices and lack of training and awareness. Many water systems still use legacy systems that are not built to withstand modern cyberthreats. Standard security measures, including multi-factor authentication and regular system updates, are often lacking.

Earlier this year, Fortinet released our 2024 Cybersecurity in Water Management Facilities Report that included survey results from respondents from across the sector, including two-thirds of respondents originating from municipally owned and operated systems. The survey showed reported cyberattacks were up by 10% since 2021, "with 33% reporting at least one attack in the last 12 months." This growth in attacks was coupled with 21% of those responding stating their agency/organizations had no plans to invest in cybersecurity, with another 19% putting those improvements/investments out three to five years.

These findings point to the challenges we see across the sector. Many systems lack resource availability to fund necessary system upgrades to improve cyber resilience across legacy IT and OT systems. This is coupled with personnel challenges ranging from the lack of availability of IT staff to ensure application of cyber best practices to gaps in training all employees to be more cyber aware generally, regardless of their job function.

Is There a Light at the End of The Tunnel?

Funding streams still available from the Infrastructure Investment and Jobs Act (IIJA) provide an opportunity to address these challenges. The IIJA allows cybersecurity to be an allowable use of funds to protect critical infrastructure and support job expansion and training in many of today's existing funding vehicles.

Two of these funding vehicles are the Clean Water State Revolving Fund (CWSRF) and the Drinking Water State Revolving Fund (DWSRF), both administered by the EPA and each perspective state's DWSRF agency. The DWSRF aids with all-hazard risk and resilience assessment, training, equipment, and infrastructure, including cybersecurity. CWSRF assistance may be available to support projects to increase the security of publicly owned treatment works, including cybersecurity. These funds are crucial in ensuring that water systems are better protected against cyberthreats and their employees are more cyber aware. While these programs are staple uses in the water system community today, many systems and operators still need help in meeting the demands and requirements to access these funds, especially as requirements related to Risk and Resilience Assessments (RRAs) and Emergency Response Plans (ERPs), which include cyber aspects, become commonplace.

Fortinet supports water system providers through multiple avenues. We offer a free OT Cyberthreat Assessment program and an industry-leading OT-aware solution built on ruggedized hardware that supports deployments in the harshest environments. Additionally, we support the funding and compliance journey through our Fortinet funding and consultation services and our FortiGuard Preparedness Services. Importantly, we do this through partnerships with the most qualified OT partners and integrators to fit into existing water system ecosystems to quickly deploy and enhance the ability to see threats, identify actions, and secure systems to be mission-critical, ready, and operational.