Water, water, everywhere under attack

Water utilities should begin work immediately to secure their systems against catastrophic cyberattack, according to a new strategy document sponsored by the American Water Works Association and Homeland Security Department.

The cyberthreat to water systems is growing, the report said. For example, in St. Louis in 2005, cyberattacks on gauges at the Sauk Water Storage Dam resulted in an unauthorized release of a billion gallons of water. In Harrisburg, Pa., in 2006, a hacker planted malicious software in a filtration plant that could have affected water treatment operations.

Managing cyber risks for the more than 5,000 water utilities in the United States could be a major business opportunity for contractors, but the extent of the opportunity is not known at this time.

The Roadmap to Secure Control Systems in the Water Sector outlines one-year, three-year and 10-year goals for water utilities to upgrade their control systems and information technology architectures and networks to protect against cyberattacks and identify vulnerabilities.

Within a year, water plants ought to create teams of IT and control engineers, integrate control system security needs into vendor contracts and elevate control system security in all business plans, the report indicated.

Within 10 years, the water systems ought to have a robust portfolio of security tools and systems along with new IT architectures, protection for older systems and secure communications.

The road map was developed by the Water Sector Coordinating Council Cyber Security Working Group. The water sector council is one of 17 such sector councils established under the National Infrastructure Protection Plan.

Water utilities are facing many challenges in implementing the road map at a time when cyberthreats are increasing, the report said. Foremost among them is that managers of such utilities often do not recognize the significance of the cyberthreat against industrial control systems (ICSes).

"Strong commitment, direct involvement and ongoing support do not exist from senior leaders because they are unaware of the magnitude of ICS security risk. The lack of an established business case for implementing ICS security has also kept executives from developing security policies that integrate IT with ICS security and from institutionalizing these policies into the overall management structure," the report said.

Installing and managing cybersecurity protections for IT systems has been an active area for government contractors.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here


  • POWER TRAINING: How to engage your customers

    Don't miss our Aug. 2 Washington Technology Power Training session on Mastering Stakeholder Engagement, where you'll learned the critical skills you need to more fully connect with your customers and win more business. Read More


    In our latest Project 38 Podcast, editor Nick Wakeman interviews Tom Romeo, the leader of Maximus Federal about how it has zoomed up the 2019 Top 100. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.