Cyberattacks are on the rise and almost every organization seems to be at risk. Right now, there’s even reason to believe that water may be the next big target for cybercriminals.

In 2021, a number of high-profile attacks on water utilities encouraged the government and water treatment facilities to rethink the importance of water cybersecurity. So what actually is water cybersecurity? Does it really matter? And should we realistically expect cyberattacks on key infrastructure?

What Is Water Cybersecurity?

rows of moving water in a water treatment facility

Water cybersecurity is cybersecurity for companies that manage important water infrastructure features like water treatment plants, storage systems, and distribution facilities.

Cybersecurity can include almost any tool, technology, or training that will help a company protect its digital systems from a cyberattack. A cyberattack is an attack launched by cybercriminals with the intent of disabling, damaging, or holding for ransom important digital assets like documentation, records, or files that allow critical systems to work.

Often, these digital assets are necessary for the target company to accomplish basic, day-to-day work. A successful attack, as a result, can cause serious downtime for an organization.

Why Does Water Utility Security Matter?

Water treatment plants may not seem like an obvious target for hackers. After all, these facilities typically don’t hold onto valuable personal information or financial details that hackers can steal to commit crimes like identity theft or fraud.

However, a newer type of cybercrime—ransomware—has made almost every organization in the U.S. a target for cybercriminals.

During a ransomware attack, a hacker uses malicious software to lock down important files on a target organization’s network, preventing the organization from using these files unless they pay a ransom to the hacker. In most cases, this prevents work from happening at all until the attack ends. Critical data and records may also be at risk if the organization chooses not to pay. Paying the hacker also doesn’t guarantee the locked-down files will be released.

Operators of critical infrastructure, like water treatment plants and waste-water systems, may be particularly vulnerable to these attacks due to their wide importance. A number of critical infrastructure operators have already been targeted by hackers.

A particularly notable ransomware attack was the Colonial Pipeline attack, which shut down one of the largest oil pipelines on the East Coast.

How Is the Government Fighting Water Cyberattacks?

The government seems increasingly aware of how vulnerable America’s critical infrastructure is to cyberattacks. For example, the Department of Justice launched a Civil Cyber-Fraud Initiative in 2021 that punishes government contractors for not complying with certain cybersecurity standards.

Early in 2022, the Biden administration also signed into law a new bill that will require critical infrastructure operators to report certain cybersecurity incidents like ransomware attacks to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Additionally, the Environmental Protection Agency (EPA) has announced its own action plan to improve water sector cybersecurity over the next few years.

In the future, these programs and partnerships should help the government and operators better respond to potential threats from attackers.

How Hackers Have Targeted Water Infrastructure Operators

brown copper-colored water tower in tropical forest

While the biggest attacks have mostly targeted infrastructure like pipelines, some water infrastructure operators have already fallen victim to cyberattacks.

In 2021, for example, one hacker even attempted to use a breach of an area’s water utilities to poison a Florida city’s water supply. The hacker used their access to a water treatment plant’s system to remotely increase the levels of sodium hydroxide, a corrosive chemical, in the Oldsmar, Florida, water supply to dangerous levels.

Employees quickly noticed some unusual system behavior caused by the hacker—like cursors moving by themselves and, eventually, the changes to sodium hydroxide levels. As a result, they were able to take corrective action and prevent the chemicals from entering the town’s water supply. Police were never able to identify or catch the hacker, however.

Investigators concluded that the Oldsmar breach likely occurred after a computer at the water treatment plant visited the website of a water utility contractor that had been compromised and contained malicious code.

Certain cybersecurity tools that monitor for unusual activity may have been able to catch the hacker before they could make changes to how the water treatment plant was functioning. Better cybersecurity training for plant workers could have also made it easier for those employees to spot and report the unusual system behavior caused by the hacker.

Should We Expect Attacks on Water Utilities to Rise?

Future cyberattacks on water infrastructure that are less obvious—or that lock employees out of utility systems, preventing them from adjusting the system—could lead to disaster. These future hacks could seriously injure residents or use ransomware to lock down important water infrastructure systems. Water infrastructure downtime could cause major problems for a community.

Cybersecurity and tech professionals were quick to note that the Oldsmar attack could have been much worse. Commentators like David Lynch, CEO of water utility operating system developer Klir, also wrote that utilities have become more exposed than ever to cyberattacks. In the near future, attacks on water utilities could become much more common.

Why Water District Cybersecurity Is So Important

As cyberattacks become more common, water infrastructure operators around the U.S. and in other territories may be at risk. Some hackers have already targeted infrastructure like water treatment plants. A successful hack could cause serious issues for the infrastructure operators and their local communities.

The government is starting to take cybersecurity more seriously, which may help protect water infrastructure operators improve their water cybersecurity. However, operators will probably need to invest in tighter cybersecurity to keep their networks safe.

If you're troubled by the idea, contact your local water authority to express your concerns; putting pressure on operators and raising awareness is how we can fight cybercriminals in an industry we might not otherwise have much influence over.