Federal lawmakers have started to take note. Congress passed the America’s Water Infrastructure Act of 2018, sponsored by Sen. Amy Klobuchar (D-Minn.) and signed into law by President Trump. This bill requires any water utility serving 3,300 or more people to carry out a risk and resilience assessment of its networks, including a review of their cybersecurity framework.
In addition, cybersecurity experts project that targeted ransomware attacks are set to rise. In a recent threat outlook, analysts at Booz Allen Hamilton predicted “a plausible uptick in state-sponsored attacks and intrusions at water utilities,” citing an alert from DHS that claimed Russian hackers had already targeted U.S. water networks. In fact according to EmergIn Risk, three quarters of utility companies have experienced a data breach in the past 12 months, with average clean-up costs around $156k per breach. In another cybersecurity breach PG&E was fined $2.7 million for security oversights that allowed hackers to gain remote access to the power provider’s systems. More than 30,000 company records were left unprotected, including usernames and passwords, which could aid a malicious attacker in using this information to breach the secure infrastructure and access critical cyber assets.