In late 2024, one of the largest water utilities in the United States announced that it had been targeted in a cyberattack that left some of its systems vulnerable, including billing.
Cybersecurity threats, cyber attacks and what can be done to mitigate them has become a hot topic in the water industry. The threats became so significant that, in 2024, the U.S. Environmental Protection Agency (EPA) released an enforcement alert outlining the urgent cybersecurity threats and vulnerabilities to community water systems and the steps they need to take to mitigate them.
Cybersecurity threats to U.S. water systems
Water systems across the U.S. face a variety of cyber threats, from sabotage to ransomware. Some of the key threats include:
- Ransomware: Cybercriminals have developed and deployed ransomware that targets Supervisory Control and Data Acquisition (SCADA) systems. The ransomware can freeze critical infrastructure requiring manual operations until the systems are recovered.
- Insider threats: Former or current employees may retain active credentials and misuse them to disrupt operations through malicious cyber activity.
- Exploitation: Utilities often use outdated firmware, default passwords or insecure remote interfaces that can be exploited by attackers to access both IT and OT networks.
- Control system manipulation: If attackers gain access to systems they can alter chemical dosing, pump controls or network operations. This could lead to public health hazards or environmental damage.
- Data breaches: Sensitive data such as facility blueprints and customer records could be obtained and exploited. Sensitive data could also include supply chain compromises that further increase risks.
What is pivoting and lateral movement?
In cybersecurity, pivoting and lateral movement are related but distinct concepts that describe how cyber attackers move within a compromised network.
Lateral movement
A lateral movement defines how an attacker moves sideways across a network to access other systems or accounts. The goal of a lateral movement is to escalate privileges, access sensitive data or compromise critical infrastructure.
Examples of lateral movement include:
- Using stolen credentials to log into another server.
- Exploiting shared drives or Remote Desktop Protocol (RDP) to hop to another machine.
Pivoting
Pivoting is a technique used to route traffic through a compromised system to reach other devices that are not directly accessible. The goal of pivoting is to access isolated or segmented parts of a network.
Examples of pivoting include:
- Using tools like SSH or VPN to tunnel traffic.
- Installing a VPN on the compromised host to fully integrate into the network.
What this means for public water systems
Many water systems rely on legacy systems with poor segmentation between IT and OT.
- Default credentials, unpatched software and insecure remote access make pivoting easier.
- Lateral movement is possible due to flat network architectures. Once in, attackers can roam freely.
- Smaller utilities may lack proper network monitoring, making both pivoting and lateral activity hard to detect.
Defense strategies
Water systems can use a myriad of defense tactics to help defend against these types of cyberattacks, including:
- Network segmentation (IT/OT split): Limits pivoting between office and control systems.
- Multi-factor authentication (MFA): Blocks easy credential reuse for lateral access.
- Least privilege access: Reduces attacker mobility within the network.
- Monitor traffic: Detects lateral movement behaviors.
- Disable unused remote access tools: Removes pivot paths attackers use to exploit.
- Routine updates: Regular patching and updates can help prevent exploits that enable both tactics.
About the Author
Alex Cossin
Associate Editor
Alex Cossin is the associate editor for Waterworld Magazine, Wastewater Digest and Stormwater Solutions, which compose the Endeavor Business Media Water Group. Cossin graduated from Kent State University in 2018 with a Bachelor of Science in Journalism. Cossin can be reached at [email protected].