BTA Weekly Water Cyber – Branko Terzic

The letter brings to the governor’s attention two recent cyber incidents:

Attacks by the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC) on critical infrastructure targeting and disabling a common type of operational technology (OT) used at water facilities,
Pre-positioning of malware in critical infrastructure operations by the cyber group “Volt Typhoon” sponsored by the People’s Republic of China (PRC).

The letter explains that water and wastewater systems are an attractive target “…because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices.”

The EPA reports that there are there are over 148,000 public water systems in the United States classified according to the number of people they serve, the source of their water, and whether they serve the same customers year-round or on an occasional basis. The majority of US citizens, 90%, are served by 52,000 community water systems providing regular water service. There are also fourteen publicly traded Investor-owned water utility companies (IOU) serving 33 states serving about 10% of consumers. The municipal systems are predominately self-regulated, and the IOUs are under regulation by state public utility commissions (public service commissions.)

The size of the water systems can range from the municipal water systems of Los Angeles, New York and Chicago to small rural community systems. The states of Wisconsin and Maine are the only states where all water systems, including municipal, are regulated by the Public Service Commission ( I served as a Wisconsin Commissioner in the 1980’s.)

Unlike the other infrastructure utilities of electricity and natural gas systems, water systems provide, in addition to fire protection and process water, a food product heightening consumer concern and fear of contamination.

While continuation of delivered water service of acceptable quality is the main concern, there is also the potential for data breaches including individual customer data and information. An IBM 2023 Cost of Data Breach Report indicates that the average cost of a data breach in the US is $9.48 Million. The report also indicates that the cost to critical infrastructure is higher than the average.

Both public systems and IOU’s have been hit. A ransomware attack on Veolia North America resulted in the loss of personal data of customers. In January of this year an attack on the municipal water system in Muleshoe Texas resulted in hackers causing a water tower to overflow sending tens of thousands of gallons of water into the street and drainpipes.

The threat is greater than immediate damage. The reported propositioning of malware means that systems are infected without detection. This malware just requires a signal from China, Iran, or other external threat sources to activate.

Conventional software based cyber security measures are focused on identifying breaches as they occur and quickly applying a patch as quickly as possible. The same IBM report indicates that in reviewing detected breaches only 33% were identified by internal security teams, 40% by benign third parties (law enforcement) and 27% by the hackers themselves (think ransomware.)

An unconventional and new approach to protecting the nation’s water utilities and other infrastructure is based on HardSec which blocks hackers denying them access to the utility’s IT and OT systems. The installation of HardSec, such as the Q Net Security module, would prevent hackers, whether nation state entities or criminal organizations, from externally activating previously embedded malware. The Q Net Security solution requires a simple “drop-in” with no modifications or adjustments to existing and new software. For more information see www.qnetsecurity.com

Water Systems at Risk of Cyber: An unconventional option

By
Branko Terzic

Water Systems at Risk of Cyber: An unconventional option

By Branko Terzic

By
Branko Terzic