Critical Cybersecurity Threats Facing Water Systems in Maine and Beyond
In recent years, critical water systems across Maine and the United States have been increasingly threatened by cyber attacks, revealing alarming vulnerabilities in essential infrastructure. A recent warning from federal authorities has underscored that many of these water systems do not even meet basic cybersecurity standards. This has sparked a concerted effort to enhance education and harden systems against potential ransomware attacks and phishing schemes that could jeopardize the integrity of these vital services.
A Small Town’s Wake-Up Call
The Town of Mount Desert serves as a poignant example of how even small, seemingly isolated facilities can fall prey to cyber threats. Three years ago, the town experienced a ransomware attack that left its wastewater district in a precarious position. Superintendent Ed Montague recounted the day he arrived at work to find himself locked out of critical files on his computer. A pop-up message demanded a ransom, threatening to sell the district’s data on the dark web if payment was not made.
Fortunately, the town opted not to pay the ransom, primarily because they had the capability to rebuild their administrative system from backups. Additionally, the plant’s largely analog setup meant that the attackers could not access any critical operational controls. Montague expressed relief, stating, “It was a relief to know that nobody was able to actually affect anything within the plants.”
National Threat Landscape
While Mount Desert managed to avoid severe repercussions from the attack, larger water utilities across the nation have not been as fortunate. Just last month, American Water, one of the largest water utilities in the country, fell victim to a cyber attack that forced multiple systems offline. Senator Angus King (I-Maine), who co-chairs the National Cyberspace Solarium Commission, emphasized the seriousness of the situation, stating, "Cyber is the new warfare and it’s coming at us in all kinds of different ways."
The Commission’s final report outlined over 80 recommendations aimed at improving cybersecurity for vulnerable organizations, particularly those operating on outdated systems without dedicated cybersecurity staff. King noted that Maine has already seen cyber incidents affecting hospitals and municipalities, and now water systems are increasingly at risk due to their relatively small size.
In Maine, two water utilities have been targeted this year by sophisticated phishing campaigns. Fake emails, appearing to come from the state’s Drinking Water Program, demanded that utilities verify their information within 24 hours or risk losing their licenses. Fortunately, no utility fell for the phishing attempt, but experts warn that such tactics are becoming more common nationwide. King pointed out that around 80% of successful cyber attacks stem from someone within an organization clicking on a phishing email.
Federal Standards and Local Solutions
A recent report from the Environmental Protection Agency (EPA) revealed that over 70% of medium and large U.S. drinking water systems failed to meet basic cybersecurity standards. The findings were alarming, with some systems neglecting to change default passwords, using single logins for all staff, or failing to restrict access for former employees. The EPA has urged states to enhance efforts to protect water and wastewater infrastructure, warning that a cyberattack on a vulnerable water system could allow adversaries to manipulate operational technology, leading to significant consequences for both utilities and consumers.
In Maine, many utilities are taking these warnings seriously. Chad Davis, IT Director for the Portland Water District, stated, "We know that this stuff is happening. The biggest thing is you have to plan for it." The district recently completed a federally funded cybersecurity audit to identify and address potential vulnerabilities, resulting in a more secure position. They have implemented an “air gap” system to isolate their operational technology network from the internet, alongside staff training on phishing and other cyber threats.
Improving Security Across the State
In response to the EPA’s directive, Maine’s Department of Environmental Protection and the Maine CDC have ramped up cybersecurity education and outreach to drinking water and wastewater facilities. Brian Kavanah, Director of the Bureau of Water Quality at the Maine DEP, emphasized the importance of these facilities, stating, "They need to be up and running 24/7, 365 days a year without interruption."
These agencies are collaborating closely with utilities statewide, offering training and resources to bolster defenses. Organizations like the Maine Water Utilities Association and the Maine Rural Water Association are also stepping up their educational efforts. Kavanah noted that while progress is being made, particularly with smaller facilities lacking dedicated IT staff, it will take time to implement comprehensive solutions.
The Next Frontier of Defense
Experts believe that many cyberattacks on businesses and utilities go unreported, leaving the landscape vulnerable. The Cyber Incident Notification Act of 2021, co-sponsored by Senators Angus King and Susan Collins, aims to require critical infrastructure operators to notify the Cybersecurity and Infrastructure Security Agency of any incidents within 24 hours. However, the legislation has stalled since its introduction three years ago.
King warned that if organizations do not strengthen their defenses, future attacks could be even more devastating. He stated, “The next Pearl Harbor will be cyber, and we’ve got to be ready for it.” As Maine’s water utilities face an urgent need to adapt to an evolving landscape of cyber threats, increased awareness and preparation are crucial to preventing the worst.
In conclusion, as cyber threats continue to evolve, the importance of robust cybersecurity measures for water systems cannot be overstated. With the right education, resources, and proactive strategies, Maine and other states can work towards securing their critical infrastructure against the growing tide of cyber warfare.