Q&A: Water system cybersecurity threats and vulnerabilities

6/17/2024 Amber Rose

Written by Amber Rose


Water system cybersecurity threats and vulnerabilities

Civil and environmental engineering department head Ana Barros talks about the recent US EPA warning on cybersecurity threats and vulnerabilities of community drinking water systems.

Interviewed by Amber Rose

The United States Environmental Protection Agency (EPA) recently issued an enforcement alert, outlining the urgent cybersecurity threats and vulnerabilities to community drinking water systems. Recent EPA inspections have revealed that over 70 percent of water systems currently do not comply with requirements set in the Safe Drinking Water Act and that some of those systems have critical vulnerabilities. Civil and environmental engineering department head Ana Barros discusses this warning and the current issues facing the security of water systems in the United States. Barros is also the director of the Center for Secure Water, which aims to establish the scientific, technological and engineering foundation to create novel, smart and resilient water systems, through active engagement in discovery and innovation.

Ana Barros
CEE department head Ana Barros

What are the major threats to community drinking water systems currently?

I think the main threats really depend on the scale of the community water system we're talking about. Whether it’s a very large water drinking system, say for example, Chicago or LA, or very small towns, which have small facilities. In many of these smaller areas, the water is actually stored in open air reservoirs. Access is protected, but it could be easily attacked if you have agents who are interested in penetrating the facility.

Another concern for these facilities is where the uptakes are, such as if they are using rivers as their source of fresh water. Depending on the scale of the facility, on the financial conditions and what resources they have, those locations could be easily attacked because one could very easily learn what the security norms are by hard to detect surveillance. In large facilities, there's a lot more security infrastructure and procedures in place to make sure that security is taken care of. The challenge here is cybersecurity.

The other element of this, of course, is aging infrastructure: pipeline systems that are not operating at their best and some of them will have structural weaknesses. There's a lot of patching as maintenance, and patching is not a long-term solution. Full system retrofitting or replacement is very expensive, and affordability is a barrier. Ultimately, all costs are passed on to the users.

What would you say are some of the major reasons for noncompliance with the Safe Drinking Water Act?

For the small utilities, it's really challenging because the costs of providing quality water meeting all the EPA requirements for public health are very high. And the price of water has already been increasing steadily in the last two or three decades. You can also see clearly that this is one critical question for equity that amplifies social disparities. The percentage of increase in the cost of water has been much higher for low and middle income communities than it is in affluent areas.

For example, in a drought, the cost of water increases by 50 percent in a given area, but the price never goes back down. It goes up during the drought as a means to improve efficiency in water use and to lead people to conserve, but after the drought ends, the costs stay the same—a new baseline has been established. And as we go through climate variability and climate change, droughts are becoming more frequent and extensive. At the same time, we also have frequent flooding, heat waves and other major environmental issues. But because of that, the communities that are financially in worse situations are impacted the most by increasing costs. Replacing computer systems, for example, or adding advanced cybersecurity monitoring, is not going to be at the top of the priority list for new spending. And in some ways, it's understandable, because the real ground zero for utilities is to provide quality fresh water, so people can lead healthy lives.

What is the difference between small, rural towns and larger city municipalities?

Large municipalities operate very advanced utilities. One of the main challenges is to provide equal security across the water distribution system because of the spatial footprint and complexity. A distributed attack or an attack at a gateway node in the water system network could be potentially very damaging as the impact can cascade across the network. It’s very hard to monitor and control what's going on everywhere with many points of potential failure.

Small towns operate simple centralized facilities with short distribution systems.  Monitoring is more straightforward in a small town where people are less anonymous compared to a big city, with extremely long distribution systems serving large populations, and where monitoring for bad actors and controlling access is very difficult.

"These systems are in some ways, living systems. They live with the people that live in the town, and how that town is growing or shrinking and evolving, those systems are evolving with it."

What would be the impact of an attack on the community?

The immediate concern would be access to water quantity. Depending on the type of attack, if it's an attack on the water quality, then, of course you cannot use the water, or it could be treated locally at the point of use with special kits. If it's a question of the quality, not quantity, or compromised treatment  systems, then point-of-use treatment technology (such as filters) can be a temporary solution. But for the first few days after an attack that compromises the suitability of water for public use, access to water would be very complicated.  This usually means a run to supermarkets to purchase water, which may run out of water very quickly. Therefore, utilities or the local government must plan to bring  and distribute water to the public, generally including health care facilities, until other solutions are in place.

If it's a major break in infrastructure, like failing control valves or pump stations, it would be a very similar problem. Even if the breakdown is very localized, it takes time to fix. For the people that are downstream of the point of failure, there would have to be a very similar sort of response and the need to make safe potable water available right away.

A most important implication is the timescale. How long does it take to fix?  If the cause of failure is mechanical,  then it is possible to diagnose the problem and fix it. Likewise for treatment systems if the problem is tied to unknown chemicals or bioagents, then this becomes a much more challenging problem from detection to attribution to mitigation and control.

If water is not available beyond a few days or a week, the economic implications are huge. Most industries depend on huge volumes of water to produce everything from computers to clothes. It’s not just about tap water, it's the whole economic system that depends on water availability.

Is this something we should be concerned about happening and what are some steps that can be taken to ensure that water systems are kept safe?

Whether it's a malicious act or if it's just failure of a system by fatigue of materials or mechanical failure, accidents can happen. Recent events in Atlanta come to mind. It's really important that plans exist on how to deal with such events, but also that such plans are revisited and updated often. Most of these systems are not static, meaning even in small towns, there is always new urbanization: a new industrial unit is planned, such as a new brewery, for example, close to the river. Water systems are not fixed in time or in space. They are always expanding and evolving in their spatial footprint as municipalities change over time. We always need to be thinking about the potential consequences of different types of disasters and maintain a high level of preparedness. Because these systems are in some ways, living systems. They live with the people that live in the town, and how that town is growing or shrinking and evolving, those systems are evolving with it.

Understanding and mapping the entire water system with all of its components—cyber, physical and structural components, as well as the chemical and biological processes—is key. All of these components need to be understood as an integrated system, not just as individual parts.

Quality drinking water is something we take for granted in our modern world. Water systems are lifeline infrastructure. We're very fortunate that we don't think much about it. But in other places in the world, access to clean water is at the center of people’s lives. As such, this issue is one of 17 United Nations Sustainability Development Goals.

Share this story

This story was published June 17, 2024.