How Better Password Security for Water Utilities Can Help Prevent Cybersecurity Incidents

Water utilities may not immediately be top-of-mind when one thinks about cyberattack targets; typically, that designation goes to finance, healthcare, and other critical infrastructure sectors, such as nuclear power. Despite their seemingly benign role, they are an ideal target for hackers. Water utilities are also a target because so many critical third parties (emergency services, hospitals and healthcare facilities, firefighting services) rely on water to sustain their operations.

One of the simplest, and most impactful steps water utilities companies can take to protect their users and teams, is to deploy an enterprise-grade password manager. Password managers, such as Bitwarden, help strengthen water utility digital infrastructures by enhancing password security and enabling additional access controls, while empowering each individual user with the tools to simplify their workflow, while also making it more secure. 

To start, water utilities provide a good - water - that is consumed by a large number of people within a small radius. Depending on the breadth, scope, and nature of the cyberattack, a compromised water supply could range from disruptive (temporarily shutting down the supply) to deadly (poisoning water with chemicals). Hackers, some operating from thousands of miles away, can easily cause an outsized impact to an area’s population. One example of a near-disastrous water utility attack occurred in 2021, when hackers hijacked a Florida water plant’s operational technology system and manipulated chemical levels in the local water drinking supply. Thankfully, an observant operator quickly fixed the settings and prevented a tragedy. 

Recent survey data and real-world incidents reveal how vulnerable water utilities are to cyberattacks. In late 2023, the Municipal Water Authority of Aliquippa, which serves a portion of Western Pennsylvania, was targeted by Iranian hackers. According to a PBS report, the hackers shut down a remotely controlled device that monitors and regulates water pressure at a pumping station. Also targeted in late 2023, was a North Texas water utility, which found itself impacted by ransomware that compromised its business computing network.

The U.S. has 150,000 individual water systems; the majority of which are municipality-run, and short on the funding required to help bolster their overall cybersecurity. This makes them vulnerable to cyber-criminals, who, in their quest to sow chaos, or even harm individuals, steal weak or reused credentials in order to gain entry into organizations. 

Building up water utility resilience used to be primarily focused around environmental or sustainability-oriented objectives, such as mitigating risks from climate change. However, industry leaders now consider cybersecurity to be a critical part of operational planning. The Cybersecurity and Infrastructure Security Agency (CISA) explains:

“Both the ability to ‘supply water’ and ‘manage wastewater’ are considered National Critical Functions – functions of government and the private sector so vital to the U.S. that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

Unfortunately, the challenges don’t stop there. As mentioned above, most water utilities are municipality-run and do not have dedicated IT security teams devoted to security or staying up-to-date on the latest threats. Another large area of concern is that water utilities often rely on outdated, legacy IT equipment that is challenging to upgrade or make compatible with more current, cloud-based technology. 

Other vulnerabilities include reliance on operational technology (OT) systems and industrial control systems (ICS) that have expanded attack surfaces; weak or default credentials; and remote service technologies. It isn’t just that the nature of water utilities makes them inherently vulnerable - it’s that the systems protecting those utilities are vulnerable, as well. 

A survey conducted by the Water Sector Coordinating Council found that most water utilities were not prepared to prevent cybersecurity incidents. Takeaways from the survey demonstrate an urgent need to improve preparedness programs, including:

• 32% of respondents don’t conduct cybersecurity risk assessments or know if they conduct cybersecurity risk assessments

• 38% allocate less than 1% of their budgets to information technology (IT) cybersecurity, while 45% allocate less than 1% to operational technology (OT) security

• 64% of respondents said that their utility does not employ a Chief Information Security Officer (CISO) or equivalent

• 42% of respondents do not have a cybersecurity awareness program

• Only 22% of respondents have implemented cyber protection efforts that are monitored regularly

YOU MIGHT ALSO LIKE: Why Employees are the Front Line of Enterprise Threat Prevention

A joint fact sheet issued by CISA, the FBI, and the EPA highlights ways to manage cyber threats by implementing several cybersecurity initiatives, to name a few:

• Reduce exposure to the public-facing internet

• Conduct regular cybersecurity assessments

• Change default passwords immediately

• Conduct an inventory of operational technology/informational technology assets

• Develop and exercise cybersecurity incident response and recovery plans

• Backup OT/IT Systems

Water utilities can implement some of the recommendations presented above immediately. Going back to the key recommendation cited earlier, water utilities should also go beyond changing default passwords and implement an enterprise-grade password manager that will deliver better password security, provide additional access controls, help train employees in cybersecurity practices, and support cybersecurity incident response strategies.

In December 2023, U.S. water utilities connected to the open internet with the default password of ‘1111’ had been hacked. Given the critical nature of the U.S. water supply, it is necessary for utilities to adopt a password manager like Bitwarden. 

Nearly 81% of hacking-related breaches succeed through stolen or weak passwords. Enterprise-grade password managers, such as Bitwarden, serve as a first line of defense against cyber-criminals. By limiting the use of weak or reused passwords, they help protect sensitive information that might otherwise be exposed. 

Implementing an enterprise-grade password manager like Bitwarden enables water utilities to generate and store strong and unique passwords for various systems and accounts, reducing the vulnerability to password-related breaches. Other key benefits include:

• Strengthening authentication with single-sign-on (SSO) and directory integration options.

• Enforcing strong password policies such as minimum password length and two-factor authentication, offering an additional bulwark against data breaches.

• Protecting against credential attacks by eliminating the need for weak or reused passwords and ensuring employees can share credentials securely.

• Enabling role-based access controls that allow administrators to customize permissions, control who has access to certain functions, and issue granular permissions (e.g. Hide Passwords, Read-Only). By limiting user access based on necessity, utilities maintain control over sensitive systems. Monitoring log events provides additional protection.

• Centralizing business information in an end-to-end encrypted vault that protects not just passwords, but company cards and other personally identifiable information (PII). Cyber-criminals seeking to disrupt water supply may also come across other sensitive information that could be stolen and used to compromise other accounts. Encryption makes this virtually impossible.

• Improving Cybersecurity Culture: Building employee awareness around password security best practices creates a more advanced security culture and encourages employees to be more thoughtful about their password management practices.

The digital infrastructures of water utilities present a unique security challenge because they control, manage, and protect the only utility that people can ingest. This lends urgency to the need for more stringent security controls. Fortunately, water utilities can take a big step in the right direction by implementing an enterprise-wide password manager that will immediately secure critical data. In doing so, they are also further protecting society’s health and well-being.

To explore Bitwarden business features and capabilities, get started with a free trial today.