Water, water, everywhere under attack

Water utilities should begin work immediately to secure their systems against catastrophic cyberattack, according to a new strategy document sponsored by the American Water Works Association and Homeland Security Department.

The cyberthreat to water systems is growing, the report said. For example, in St. Louis in 2005, cyberattacks on gauges at the Sauk Water Storage Dam resulted in an unauthorized release of a billion gallons of water. In Harrisburg, Pa., in 2006, a hacker planted malicious software in a filtration plant that could have affected water treatment operations.

Managing cyber risks for the more than 5,000 water utilities in the United States could be a major business opportunity for contractors, but the extent of the opportunity is not known at this time.

The Roadmap to Secure Control Systems in the Water Sector outlines one-year, three-year and 10-year goals for water utilities to upgrade their control systems and information technology architectures and networks to protect against cyberattacks and identify vulnerabilities.

Within a year, water plants ought to create teams of IT and control engineers, integrate control system security needs into vendor contracts and elevate control system security in all business plans, the report indicated.

Within 10 years, the water systems ought to have a robust portfolio of security tools and systems along with new IT architectures, protection for older systems and secure communications.

The road map was developed by the Water Sector Coordinating Council Cyber Security Working Group. The water sector council is one of 17 such sector councils established under the National Infrastructure Protection Plan.

Water utilities are facing many challenges in implementing the road map at a time when cyberthreats are increasing, the report said. Foremost among them is that managers of such utilities often do not recognize the significance of the cyberthreat against industrial control systems (ICSes).

"Strong commitment, direct involvement and ongoing support do not exist from senior leaders because they are unaware of the magnitude of ICS security risk. The lack of an established business case for implementing ICS security has also kept executives from developing security policies that integrate IT with ICS security and from institutionalizing these policies into the overall management structure," the report said.

Installing and managing cybersecurity protections for IT systems has been an active area for government contractors.