Keep the Water Flowing for the DoD: Securing Operational Technology from Cyberattacks

Malicious actors are ramping up attacks against water and wastewater systems (WWS), which are not only attractive targets but also complex to protect. The U.S. Department of Defense (DoD) in particular operates a large number of WWS facilities. Read on to learn how a strong cybersecurity program can help the DoD significantly reduce the cyber risk of its WWS systems.

Water systems are often high-value targets for cyberattacks, because they provide essential services to society and any disruption to their operations has severe consequences, including water shortages and public health risks. In addition to being attractive targets, these systems are frequently older, lack modern cybersecurity controls and include a range of interconnected systems and technology. These factors make them highly vulnerable to cyber threats. Ensuring the availability of safe, clean drinking water for military personnel and operations is a paramount concern for the Department of Defense (DoD). The number of possible attack vectors is immense: The DoD operates more than 100 wastewater treatment facilities and supplies water to 3.4 million people living and working in DoD facilities, such as military bases. In addition, there are more than 500 DoD installations worldwide, with over 500,000 buildings and structures, covering millions of acres of land in the U.S, U.S territories and over 30 other countries.

The DoD needs a robust cybersecurity program to help it gain visibility of cyberattack vectors, address system vulnerabilities and protect its essential water and wastewater (WWS) facilities and resources, to effectively reduce risks from cyberthreats.

The growing need for OT security in water facilities

The evolution of water treatment facilities into technologically sophisticated entities has led to an increase in the adoption of operational technology (OT) and industrial control systems (ICS). This progress has transformed critical infrastructures into interconnected, digitized systems that leverage advanced functionalities like automation, real-time data monitoring and remote access. 

However, integrating internet of things (IoT) devices and cloud computing has increased the number of connections to the critical infrastructure. New attack vectors create opportunities for cyber criminals to enter the OT environment, expanding the attack surface. Given the pivotal role that DoD facilities play in national security, the integration of these systems with advanced cybersecurity protocols and redundancy measures becomes an even higher priority. 

Cybersecurity incidents in recent years have shown that bad actors are increasingly targeting water facilities. For instance, in December a group backed by Iran’s Islamic Revolutionary Guard Corps attacked at least 11 different U.S water facilities, including a water facility in Pennsylvania that was forced to go into manual operations. In November, the North Texas Municipal Water District, which supplies drinking water to more than 2.2 million people was hit with a ransomware attack from the ransomware gang Daixin Team.

To help prevent such attacks, WWS facilities need stringent cybersecurity protocols. In response, federal agencies like the Environmental Protection Agency (EPA) are enforcing compliance mandates and regulations to bolster the cybersecurity posture of WWS. These measures aim to ensure comprehensive visibility and security across the hybrid IT/OT/IoT environments within modern water treatment systems, emphasizing the need for sophisticated OT security solutions capable of countering cyberthreats.

Addressing challenges in modern water infrastructures 

In addition to OT and ICS, the shift from isolated operations to centralized and automated systems in drinking water treatment plants (DWTPs) and wastewater treatment plants (WWTPs) marks a significant advancement in water management. Centralized DWTPs and WWTPs offer improved efficiency and control, enabling more effective management of resources and regulatory compliance. They rely on a range of technologies, including programmable logic controllers (PLC) to control various stages of water treatment. PLCs control and monitor processes such as activating pumps, managing chemical flow and generating compliance data.

Advanced systems such as these come with their own challenges. The integration of multiple technologies has made system operations more complex, requiring specialized knowledge and skills to manage and protect them. Cyber threat actors have exploited weaknesses, such as poor password security and exposure to the internet, to gain unauthorized access. For example, in one incident, threat actors targeted a U.S. water facility’s PLCs, leading to the facility taking its system offline and switching to manual operations.

Overcoming legacy limitations

The “always-on” nature of DWTPs and WWTPs makes it challenging to perform routine maintenance or apply patches when vulnerabilities are discovered. This difficulty is compounded in facilities with large infrastructures and diverse, multi-generational devices. An effective OT security solution should offer asset inventory capabilities and ensure the continuous monitoring and control of water treatment processes, even in distributed environments.

Essential features of an OT security solution

To effectively secure DoD’s water resources from cyber risks, an OT security solution must possess certain key features:

• Asset visibility and inventory: Ability to identify and catalog IT and OT devices from a wide array of vendors, across different generations and interconnected networks without disrupting plant operations. 
• Continuous monitoring: Real-time monitoring capabilities to maintain the most up-to-date asset inventory and visibility of cyberthreats. 
• Advanced threat detection: Utilization of a powerful threat detection engine to identify and alert potential incidents from various sources.
• Configuration monitoring: Tools for monitoring and tracking changes to system configurations to mitigate risks from human error, insider threats and malware.
• Vulnerability management: An effective vulnerability management capability is critical for maintaining a proactive cybersecurity program for the mix of modern and legacy systems.

Implementing comprehensive cybersecurity measures with Tenable

The solution for protecting the DoD's water resources requires a holistic approach. This includes implementing robust cybersecurity measures, such as inventory and vulnerability management; ensuring data security; and maintaining compliance with industry regulations and EPA guidelines.

Tenable OT Security offers comprehensive cybersecurity capabilities for critical water infrastructure that align with federal cybersecurity advisories and EPA recommendations and that assist in maintaining compliance with the evolving regulatory landscape.

For the DoD, the security of water treatment plants is not just a matter of operational efficiency. It’s imperative for the DoD’s mission of protecting the security of our nation. Embracing advanced OT security solutions like Tenable OT Security is crucial in safeguarding these critical resources against evolving cyber threats. 

To explore how Tenable can enhance the security of your water treatment facilities, read our white paper or reach out to our sales team for a demo or check out the related resources below. 

This blog is the second in our six-part blog series on OT in the DoD. Below are links to other blogs in the series:

• Strengthening Cyber Protections in the DoD's OT Systems
• Protecting DoD Building Management Systems with Advanced OT Security
• Enhancing Transportation Cybersecurity and Fleet Management for the DoD
• Navigating Security Challenges Around OT in the DoD’s Manufacturing Lines
• Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid

Learn more

• 5 Key OT Security Use Cases for the DoD: Safeguarding OT Networks and Cyber Physical Systems
• OT Security Solutions for Water Utilities