Menu Close
Wastewater Treatment Facility Nick Allen

Water Systems at Risk of Cyber: An unconventional option   

By
Branko Terzic

“Disabling cyberattacks are striking water and wastewater systems throughout the United States.”

That’s the opening sentence of a March 18, 2024, letter sent to the nation’s Governors signed jointly by Environment Protection Agency (EPA) Administrator Micheal S. Regan and Assistant to the President for National Security Affairs Jake Sullivan.

The letter brings to the governor’s attention two recent cyber incidents:

  • Attacks by the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC) on critical infrastructure targeting and disabling a common type of operational technology (OT) used at water facilities,
  • Pre-positioning of malware in critical infrastructure operations by the cyber group “Volt Typhoon” sponsored by the People’s Republic of China (PRC).

The letter explains that water and wastewater systems are an attractive target “…because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices.” 

The EPA reports that there are there are over 148,000 public water systems in the United States classified according to the number of people they serve, the source of their water, and whether they serve the same customers year-round or on an occasional basis. The majority of US citizens, 90%, are served by 52,000 community water systems providing regular water service. There are also fourteen publicly traded Investor-owned water utility companies (IOU) serving 33 states serving about 10% of consumers. The municipal systems are predominately self-regulated, and the IOUs are under regulation by state public utility commissions (public service commissions.)

The size of the water systems can range from the municipal water systems of Los Angeles, New York and Chicago to small rural community systems. The states of Wisconsin and Maine are the only states where all water systems, including municipal, are regulated by the Public Service Commission ( I served as a Wisconsin Commissioner in the 1980’s.)

Unlike the other infrastructure utilities of electricity and natural gas systems, water systems provide, in addition to fire protection and process water, a food product heightening consumer concern and fear of contamination.

While continuation of delivered water service of acceptable quality is the main concern, there is also the potential for data breaches including individual customer data and information. An IBM 2023 Cost of Data Breach Report indicates that the average cost of a data breach in the US is $9.48 Million. The report also indicates that the cost to critical infrastructure is higher than the average.

Both public systems and IOU’s have been hit. A ransomware attack on Veolia North America resulted in the loss of personal data of customers. In January of this year an attack on the municipal water system in Muleshoe Texas resulted in hackers causing a water tower to overflow sending tens of thousands of gallons of water into the street and drainpipes.

The threat is greater than immediate damage. The reported propositioning of malware means that systems are infected without detection. This malware just requires a signal from China, Iran, or other external threat sources to activate.

Conventional software based cyber security measures are focused on identifying breaches as they occur and quickly applying a patch as quickly as possible. The same IBM report indicates that in reviewing detected breaches only 33% were identified by internal security teams, 40% by benign third parties (law enforcement) and 27% by the hackers themselves (think ransomware.)

An unconventional and new approach to protecting the nation’s water utilities and other infrastructure is based on HardSec which blocks hackers denying them access to the utility’s IT and OT systems. The installation of HardSec, such as the Q Net Security module, would prevent hackers, whether nation state entities or criminal organizations, from externally activating previously embedded malware. The Q Net Security solution requires a simple “drop-in” with no modifications or adjustments to existing and new software. For more information see www.qnetsecurity.com


The Honorable Branko Terzic is a former Commissioner on the U.S. Federal Energy Regulatory Commission and State of Wisconsin Public Service Commission, in addition he served as Chairman of the United Nations Economic Commission for Europe ( UNECE) Ad Hoc Group of Experts on Cleaner Electricity. He hold a BS Engineering and honorary Doctor of Sciences in Engineering (h.c.) both from the University of Wisconsin- Milwaukee.  

#BrankoTerzic #energy #regulations #experience #research #future #opportunity #strategy #management #people #electricity #power #utilities #powergeneration #energyindustry #sustainability #legislation #water #wastetreatment #cyber #security #attacks