&EPA
United States
Environmental Protection
Agency
Cyber Security 101 for Water Utilities
Many drinking water and wastewater utilities today depend on com-
puter networks and automated control systems to operate and monitor
processes such as treatment, testing and movement of water. These
industrial control systems (ICSs) have improved drinking water and
wastewater service and increased their reliability. However, this reliance
on ICSs, such as Supervisory Control and Data Acquisition (SCADA),
has left the Water Sector and other interdependent critical infrastruc-
tures, including energy, transportation and food and agriculture, poten-
tially vulnerable to targeted cyber attacks or accidental cyber events. A
cyber attack causing an interruption to drinking water and wastewater
services could erode public confidence, or worse, produce significant
public health and economic consequences.1
Establishing facility and information access controls, which includes cyber security, is one of the Key Features of an Active
and Effective Protective Program. The U.S. Environmental Protection Agency (EPA), in collaboration with the Water Sector,
developed the Key Features to strengthen the security and resiliency of water systems in the face of all hazards.
THE KEY FEATURES
1
Integrate protective concepts into organizational culture, leadership and
daily operations
2. Identify and support protective program priorities, resources and utility-
specific measures
3. Employ protocols for detection of contamination
4. Assess risks and review vulnerability assessments (VAs)
5. Establish facility and information access control
6. Incorporate resiliency concepts into physical infrastructure
7. Prepare, test, and update emergency response and business continuity plans
8. Develop partnerships with first responders, managers of critical
interdependent infrastructure, other utilities and response organizations
Develop and implement internal and external communication strategies
Monitor incidents and threat-level information
9.
10.
Types of Cyber Attacks on Water Systems
A cyber attack is an attempt to undermine or compromise the function of ICSs, or attempt to track the online movements
of individuals without their permission. Attacks of this type may be undetectable to the water utility or SCADA system
administrator but can lead to a total disruption of a water utility's network. Examples of these attacks include:
• Denial of Service: Flooding a resource (a network or Web server) with thousands of false requests so as to crash or
make the resource unavailable to its intended users
• Spyware: Monitors user activity
• Trojan Horse: Malicious file or program that disguises itself as a legitimate file or program
• Virus: Attaches to existing programs, then replicates and spreads from one computer to another
• Worm: Malicious file that replicates itself and spreads to other computers
• Sniffer: Monitors information traveling over a network
• Key Loggers: Records and transmits keystrokes and transmits to the originator
• Phishing: Fake websites or e-mail messages that look genuine and ask users for confidential personal data
1 "Water Security Roadmap to Secure Control Systems in the Water Sector," developed by the Water Sector Coordinating Council Cyber
Security Working Group, March 2008.
-------�
Cyber Security 101 for Water Utilities
page 2
Highlighting Real-World
Cyber Attacks
The following are actual cyber
incidents that impacted water
utilities and illustrate the types
of damages and impacts these
attacks can cause:1
Queensland, Australia, 2001:
Former employee of software
development company hacked
46 times into the SCADA sys-
tem that controlled a sewage
treatment plant, releasing over
264,000 gallons of raw sewage
into nearby rivers and parks.
Harrisburg, PA, 2006: Foreign
hacker penetrated security of a
water filtering plant through the
Internet. The intruder planted
malicious software that was
capable of affecting the plant's
water treatment operations.
How Can Cyber Attacks Affect Water Systems?
Cyber incidents can affect water system operations in a variety of ways, some
with potentially significant adverse effects to public health and the environment.
Examples of potential impacts include:1
• Interference with operation of water treatment equipment, causing chemical
over- or under-dosing
• Unauthorized changes to programmed instructions in local processors which
enable individuals to take control of drinking water distribution or wastewater
collection systems potentially resulting in disabled service, reduced pressure flows
of water into fire hydrants, or overflow of untreated sewage into public waterways
• Changing or disabling alarm threshold, which could delay detection of intrusion
or water contamination
Preventing Cyber Attacks
Water utilities can reduce vulnerabilities from cyber attacks or events by: (1) iden-
tifying systems that need to be protected, (2) separating systems into functional
groups, (3) implementing layered or tiered defenses around each system, and (4)
controlling access into, and between, each group. Utilities should also:
• Institute procedures to limit number of individuals with authorized access to
networks
• Update software on a regular basis
• Require strong passwords
• Install and maintain anti-virus software
• Employ intrusion detection systems and firewalls
To be most effective, water utility cyber security programs should build on strong organizational security policies, utility-
wide security awareness, and effective personnel and physical security practices.
Where to go for additional information on Cyber Security —
Additional resources and guidance documents on cyber security applicable to the
Water Sector include:
• Water Security Roadmap to Secure Control Systems in the Water Sector: De-
veloped by Water Sector Coordinating Council Cyber Security Working Group, in
accordance with the Department of Homeland Security's National Infrastructure
Protection Plan partnership model: http://www.awwa.org/files/GovtPublicAffairs/
PDF/WaterSecuritvRoadmap031908.pdf
• Water Information Sharing and Analysis Center (WaterlSAC): Secure, Web-based
clearinghouse that helps water utilities, state and federal agencies, first responders,
law enforcement, and public health officials prepare for water service interruptions:
https://portal. waterisac.org
• U.S. Department of Homeland Security, Control Systems Security Programs
(CSSP): Coordinates activities to reduce likelihood of success, and severity of im-
pact, of cyber attacks against critical ICSs: http://www.us-cert.gov/control_svstems
• CSSP's Cyber Security Evaluation Tool (CSET): Desktop software tool that guides
users through step-by-step process to assess their control systems and IT network
security practices: http://us-cert.gov/control_systems/satool.html
FOR MORE INFORMATION: EPA is committed to ensuring the Water Sector can access information and tools that
enable utilities to enhance the security of their cyber systems. For more information on EPA's support for the Key
Features of an Active and Effective Protective Program, visit http://water.epa.gov/infrastructure/watersecuritv/features
or email WSD-OutreachOepa.gov.
Office of Water (4608-T) EPA 817-K-12-004 www.epa.gov/watersecurity July 2012
-------� |