October is Cybersecurity Awareness Month, which is the perfect time to share Fort Collins – Loveland Water District’s front-and-center approach to addressing safety and cybersecurity. You may or may not be aware that cybersecurity threats to critical infrastructure have been a rising concern recently. FCLWD takes these threats very seriously. In this blog post, we’ll share why being proactive is so vital by examining a few national examples of attacks on critical infrastructure, how our collaborative approach protects us from cybersecurity attacks and how and why cybersecurity is a fast-evolving battleground.
TLDR: Blog Summary
- Current and recent events highlight how and why critical infrastructure, including water districts, can be an easy target for international bad actors looking to cause chaos and disruption.
- FCLWD takes a front-and-center approach to safety, including cybersecurity, and has many systems and processes to help keep our water supply secure. Our “we’re all in this together” culture at FCLWD supports the safety of our infrastructure.
- COVID and the associated remote and hybrid work environments accelerated cybersecurity risks. More recently, AI capabilities mean that ransomware code can change rapidly to evade detection and phishing scams appear more realistic than ever.
- Don’t forget about your personal security. We have tips available to protect you at home.
Why are cybersecurity threats a big concern for water districts?
Most of us have at least a vague awareness of cyberattacks. Who hasn’t had to cancel a credit card because the number was leaked during a security breach or suspected fraud? While protecting our customer data is a priority at FCLWD, the threat to critical infrastructure is much more serious than a classic leak of personal information.
As proven by several recent national incidents, critical infrastructure like water and wastewater, energy and communications have become prime targets for hackers with nefarious intentions. For example, Aliquippa Municipal Water Authority in rural Pennsylvania never thought it would become embroiled in geopolitical tensions with a pro-Iranian hacker group targeting Israeli-made equipment, but that’s exactly what happened in November 2023.
Hackers targeted programmable logic controllers (PLCs) that monitor water pressure by accessing the PLC’s manufacturer’s marketing database, finding IP addresses for where that equipment was sold and exploiting vulnerable systems that had never swapped out the default password (1111) for a more secure password. The Aliquippa Municipal Water Authority had to take its systems offline until the breach could be addressed.
According to FLCWD’s IT and Data/Systems Manager, Eric Dowdy, the incident was a wake-up call to the water sector about the importance of implementing comprehensive cybersecurity measures. No small municipal water provider proved too small for international hackers who intended to disrupt water supplies to create panic and chaos.
While the Aliquippa instance was concerning, it certainly wasn’t the first event like this to happen in recent years. In 2021, hackers attempted to poison the water supply in Oldsmar, Florida, by remotely accessing an onsite computer. In just a few clicks, they programmed the system to raise the levels of lye in the water from 100 to 11,100 parts per million. Thankfully, a plant operator noticed the change immediately and reset the system to the correct amounts, so no harm was done. Eric shared,
“The way that this plant operator acted immediately is the perfect example of how we’re all in this together when it comes to preventing cybersecurity attacks, as well as quickly reacting if a cybersecurity breach does happen. If the operator hadn’t acted so quickly, there could have been serious implications to the water supply for tens of thousands of people.”
Eric’s observation about the operator’s fast action in Florida perfectly explains how FCLWD approaches cybersecurity.
FCLWD’s Proactive Focus on Cybersecurity
Recent national events have made it clear in the water industry that they must take cybersecurity seriously. In fact, the American Water Works Association (AWWA) reported this year that 81% of respondents in an industry survey said they consider cybersecurity to be an immediate priority. Eric shared, however, that the problem isn’t a lack of awareness anymore but rather a lack of budget and resources to implement the changes needed to protect against cybersecurity threats.
“Our District is in a great position, with a great board of directors who not only understands the seriousness of this issue but fully supports and fully funds our cybersecurity efforts because it’s a part of our mission statement to provide secure water,” Eric explained.
Eric manages a team of in-house and managed IT providers to help ensure that FCLWD’s water supply stays secure from potential threats. Cybersecurity efforts account for about 50% of total IT time and resources. The following systems and processes are in place to support cybersecurity efforts:
- The District conducts multiple comprehensive and focused vulnerability assessments each year and implements changes based on findings from the tests.
- The entire staff receives monthly safety training, including both physical safety in the field and digital safety.
- New hires go through cybersecurity training as a part of their onboarding.
- Eric and the team surround themselves with cybersecurity experts, and he is on a cybersecurity subcommittee that has representatives from many local governments and state agencies.
- The District has multiple data backups in place in case of a cyberattack.
- The District uses multi-factor authentication (MFA) whenever possible to add security to devices.
- AI tools are used to help monitor for AI-based ransomware.
- Several other sophisticated tools are in place to detect ransomware and suspicious payloads in email attachments.
While all the tools are essential, the most critical part of cybersecurity success is having an educated team and a broader “all in this together” attitude. According to CISO Magazine, 88% of data breaches are caused by human error.
“When it comes down to it, humans are the weakest link in cybersecurity,” Eric said. “So, providing ongoing education and having employees practice what we teach is front and center of what we do.”
Cybersecurity is not a one-and-done issue, either, which is why training and audits are ongoing. It’s also why Eric and the team stay plugged into the broader cybersecurity community to stay up on the ever-changing threats and how to prevent them from being an issue at FCLWD.
What Makes Cybersecurity an Ever-Evolving Battleground
Cyberattacks have been a problem since the widespread implementation of the Internet, but the 2020s have seen a ransomware epidemic, along with a rising number of infrastructure attacks and nation-state-sponsored attacks. Two primary causes of this uptick are the mass move of the workforce to work remotely during the pandemic and the boom of AI technology.
“COVID absolutely helped accelerate systems being run remotely and an increased reliance on cloud-based applications,” Eric explained. “Out of necessity, everything has become accessible from the Internet. Of course, we have strict security practices, protocols and protections in place, but there is an inherent risk to anything remotely accessible from the Internet.”
This was the case with the Oldsmar, Florida incident we mentioned earlier. Hackers were able to change the chemical makeup of the water in an underground reservoir that provides drinking water for nearly 15,000 people simply by gaining remote access to an on-site computer.
AI takes the threat potential to a new level because of its ability to change code and create copycat content like never before. For example, until recently, with proper training, it was possible for most people to identify a phishing email or text. But with AI, phishing scams appear more realistic than ever, making phishing emails and texts nearly undetectable. In addition, polymorphic ransomware is a new kind of ransomware powered by AI that can change code on its own to become undetectable. So, if a company’s security system flags the ransomware once, it can change its code and try again as many times as needed.
FCLWD is Devoted to Our Mission
Remote systems and AI aren’t going anywhere, and neither are hackers who want to exploit critical infrastructure. Organizations can never eliminate this ongoing risk, only reduce it. These are just realities of the cyberattack landscape. This is why FCLWD takes such a proactive approach and invests in cybersecurity as we seek to minimize risk and impact in order to help uphold our mission of providing secure water to our customers.
It’s important to remember that cybersecurity affects us all, from individuals to large corporations and everything in between. In early 2023, Eric shared some great digital security tips you can easily implement to protect your personal information. Check out the blog to read up on his cybersecurity tips and tricks for at home.