Barracuda Networks recently analyzed the threats facing the water and wastewater sector and highlighted a number of challenges for U.S. water and wastewater utilities. Based on previous and recent EPA reporting, Barracuda assessed that a significant number of the 152,000 public drinking water systems in the U.S. are non-compliant with the cybersecurity requirements of the Safe Drinking Water Act. Common violations include inadequate password management and lack of multi-factor authentication. As federal agencies continue to warn of the threat that nation-state cyber actors pose to the water sector, these challenges are heightened even further.

Additionally, Barracuda further assessed that many water utilities have failed to complete essential risk and resilience assessments and emergency response plans, further exposing them to threats. Moreover, a range of cyber threat actors have increasingly targeted the sector. For example, state-sponsored threat actors from Russia and Iran have targeted water and wastewater utilities, exemplified by attacks such as the breach in Muleshoe, Texas early last year. The attacks have continued, notably driven by alleged hacktivists. In late September, WaterISAC shared an TLP:AMBER threat advisory concerning Russian-linked threat actors targeting water utilities.

Challenges persist particularly for smaller water systems, which often lack resources and expertise in cybersecurity. To mitigate these risks, Barracuda advocates for implementing best practices, including access controls, incident response planning, and staff training, while emphasizing the importance of community engagement in advocating for improved cybersecurity resources. Members are encouraged to review WaterISAC’s 12 Cybersecurity Fundamentals for Water and Wastewater Utilities, particularly fundamentals 1, 3, and 6 which cover these topics in depth. For more information, visit Barracuda Networks.

Additional Analysis:

• Hackers Are Hot for Water Utilities | Dark Reading