Cybersecurity and environmental protection aren’t exactly words that are thrown together often. When you hear environmental protection, you might think of forests, clean air, or endangered species. When you hear cybersecurity you might think of hackers, email scams, or identity theft.
So what do cybersecurity and environmental protection have in common? A lot more than it initially appears. One of the main cybersecurity threats to the environment is at the infrastructure level. Take water infrastructure, for example. In developed economies most municipal drinking water supplies come from utility districts that rely on massive infrastructure to capture, clean, and distribute drinking water supplies.
And, once used, municipal water is transported away via wastewater infrastructure where it is treated and added back to natural systems.
What both the drinking water and wastewater systems have in common is that they are infrastructure intensive. Treating municipal water, at both the consumption and disposal ends of the spectrum requires pipelines, massive treatment facilities, and distribution networks. All of this infrastructure is tied together with command and control centers. And those centers are all operated from connected computer networks, which are vulnerable to a number of security threats ranging from outside hacks to insider bad actors.
The takeaway here is that cybersecurity should not be a concern only for the digital world. Having secure digital and information systems is also hypercritical for the very real, very tangible physical world.
The health of the environment (and public health for that matter) are increasingly tied to cyber command and control systems (which are controlled by computer networks). That means a failure of cybersecurity could result in massive pollution events and critical infrastructure failure What’s more, the compromise of massive infrastructure by cyber criminals would have a greater psychological toll (or social sentiment) on the public then what are now becoming run-of-the-mill data breaches that affect things like credit card accounts. Infrastructure hacks that cause damage to the environment or to public health would cost way more than just the physical damage.
This guide is intended to provide an overview of the role of cybersecurity in environmental protection. It will focus mainly on the role of the command and control elements of the cyber-physical systems that are used to protect environmental health. But the lessons learned at the infrastructure level can easily be applied to other networks and systems that play a role in protecting the environment and public health.
Cybersecurity and the environment
According to the Cybersecurity and Infrastructure Security Agency (CISA), there are 153,000 different public drinking water infrastructure systems and 16,000 public waste water districts in the United States alone. Approximately 80 percent of US residents get drinking water from a public drinking water service, while about 75 percent of residents rely on municipal wastewater services.
Environmental services like drinking water and wastewater are on the CISA list of National Critical Functions. The CISA defines National Critical Functions (NCFs) as “functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
The list of NCFs is broken into four major categories including:
- Connect — relates to information networks and the internet, communications and broadcasting, and telecommunications and navigation services
- Distribute — relates to transportation and supply chains
- Manage — relates to critical services such as the ability to manage elections and sensitive records and information as well as things like infrastructure, capital markets, medical and health facilities, public safety and community health, and hazardous materials and wastewater.
- Supply — relates to the distribution of fuel and energy, food, critical materials, housing, and drinking water.
So, when viewed through the lens of the CISA’s National Critical Infrastructure classification, water supply and wastewater management occupy two of the four major categories of infrastructure deemed critical to the continued safe operation of local, regional, and national government. For this reason alone, environmental infrastructure like water treatment plants provide valuable targets for cybercriminals including hackers looking for ransoms, disgruntled employees, and terrorists.
The scale of a potential infrastructure attack is also staggering. Using social engineering or insider attacks, a cybercriminal could easily affect the daily lives of millions of people with the same amount of effort that it would take to compromise one account or system.
It should be noted, that this kind of critical infrastructure identification and categorization is not just limited to the United States. The European Commission (the executive arm of the European Union), also maintains a list of critical infrastructure and includes drinking and wastewater management among some of the most important systems to defend against attack or disruption.
Another parallel drawn between environmental protection and sustainability and cybersecurity is that they are both often seen as issues that are subject to the “tragedy of the commons.” Like regulating the ocean, or creating comprehensive climate change policy, cyberspace is seen as big and poorly defined in terms of boundaries and responsibilities.
Just like most legal jurisdictions are not dealing with issues like carbon emissions, sea level rise, or ocean acidification proactively — most entities (in this case, companies, organizations, and people) only have a reactive or defensive posture when it comes to cybersecurity. Currently, there is little in the way of any kind of aggressive cybersecurity policing body that acts in the public interest. Just like environmental regulation and enforcement is tough, the rules and policies dictating cybersecurity best practices are also proving elusive.
Case study: Cybersecurity threats to environmental protection infrastructure
The first case study of a cybersecurity breach potentially affecting environmental and public health comes from 2016. In some ways, this case, in which many details were concealed by authorities to protect the investigation of the breach, provides a great example. Mainly, because it could have happened anywhere.
What we do know about the attack is that a group of hackers were able to access the backend of a network that controlled a drinking water treatment plant. In news reports (like this one in Infosecurity Magazine), this plant was given the moniker Kemuri Water Company in order to hide identifying details.
At first, employees at the company started noticing weird behavior in its system’s programmable logic controllers. The controllers are controlled by computer programs, but they are responsible for, among other things, releasing predefined amounts of chemicals during specific times of the drinking water treatment process. The attack also affected the rate of drinking water flow from the plant.
After some digital forensics by Verizon Solutions, which handled some of the networking for the water treatment plant, it was determined that hackers (allegedly based with ties to campaigns in Syria based on the IP addresses used) gained access to the credit card and billing information of 2.5 million ratepayers. The financial and personal information seemed to be the target of the attack, and it was unclear from the subsequent investigations whether or not the attackers were even aware
The second case study of cybersecurity hacking with environmental impacts shares some similarities to the first case study. Again, most of the details are shrouded in mystery, but there are a few glimpses into the attack provided by a handful of media reports.
In 2011, a group of hackers allegedly based in Russia, compromised the computer networks controlling drinking water infrastructure in two American cities, again according to media reports. The first of the connected incidents happened in an unnamed city in Illinois, while the second incident was in Houston, Texas.
To summarize the cyber incident: a hacker gained control of a pump used to distribute drinking water through a pipeline. The hacker turned one of the pump’s valves on and off so many times that the pump eventually broke. Following the investigation and comments made by the FBI and Department of Homeland Security, the hacker made it known that he or she (or they) had also gained access to South Houston’s Water and Sewer Department by compromising the district’s system, which was protected by a three-letter password.
It is a coincidence that the two case studies above both were attributed to hackers operating outside the United States. There are also instances where disgruntled employees of energy infrastructure companies, including a nuclear reactor in Texas and offshore oil rigs in California, hacked into proprietary systems to intentionally create disruptions after getting fired.
This is all to say that there are numerous cybersecurity vulnerabilities that infrastructure operators have to account for and defend against.
What makes cybersecurity challenging with the environmental protection and environmental health field?
There are a number of reasons why developing cybersecurity best practices in the environmental field is challenging. First, as outlined above, cybersecurity and environmental protection are not often thought of as closely associated. Second, while critical infrastructure such as water and energy systems are important, historically, they have not been vulnerable to cyberthreats. But as more infrastructure becomes networked, the number of cyber attack surfaces grows steadily. Lastly, historically, threatening environmental services or critical infrastructure is increasingly becoming a target for bad actors because it is a way to magnify the impact of an attack by damaging social sentiment and public trust.
One of the biggest challenges of implementing cybersecurity in the environmental space is the need for comprehensive and holistic regulation that is both large-scale tactical and also surgical in its approach. Ideally, regulation or policies provide enough room for individual environmental infrastructure operators to respond to specialized threats and immediate incidents.
As is true in other sectors of environmental regulation, coming up with mutually agreed upon cybersecurity policies is cumbersome. The challenge is only compounded by the fact that different drinking water and wastewater utilities (not to mention other types of infrastructure and environmental service providers) use different kinds of technology and computer networks to run their systems.
In other words, cybersecurity policy and best practice recommendations for infrastructure operators needs to be specific enough to be useful and impactful and general enough to be widely applicable. Finding the middle ground is no easy task.
Nevertheless, while some of the higher level organization and policy items might seem out of reach for local drinking water and wastewater treatment plant operators, there are a number of very basic things that can be done to help insulate environmental infrastructure from cyber attacks.
Some recommendations, taken from the Water Information Sharing and Analysis Center’s (more info about this organization can be found below) list of 15 Fundamentals for Water and Wastewater Utilities include some basic tips such as:
- Perform regular risk assessment
- Enforce user controls (and password best practices)
- Restrict physical access to digital infrastructure
- Develop cybersecurity policies and procedures
- Plan for cyber incidents and emergencies
The full list of recommendations can be found on the Water Information Sharing and Analysis Center’s (WaterISAC) website.
Cybersecurity solutions for the environmental field
The first step in developing cybersecurity solutions for the cybersecurity field is to fully understand all of the vulnerabilities faced by environmental and infrastructure service providers.
The good news is that there are a number of specialized entities emerging that are familiar and capable of dealing with the increase of cyberattack-related activity, particularly as it pertains to environmental infrastructure.
Here are just a few examples of organizations that are now taking on reporting and investigation roles for environmentally-sensitive cyberattacks:
- Water Information Sharing and Analysis Center (WaterISAC) is a Washington DC-based nonprofit that works in coordination with the Environmental Protection Agency. WaterISAC is authorized under the 2002 Bioterrorism Act as an official information sharing and operations organization. WaterISAC collects data from water treatment and waste water treatment infrastructure operators about verified and suspected cyber incidents.
- Cybersecurity and Infrastructure Security Agency (CISA) was created as a new federal agency to help deal with growing cybersecurity threats to infrastructure. The agency has a number of cybersecurity-related resources and also maintains cyber incident reporting guidelines.
- American Water Works Association is a water industry nonprofit organization based in Denver. The group provides a number of resources for cybersecurity protocol and practice guidance.
In regards to the bigger picture, preparing for and preventing cyber attacks and cyber incidents will only become more important. After a cyberattack on water infrastructure in two American cities by hackers connected to Russia, Lani Kass, a former adviser to the US Joint Chiefs of Staff on security issues, told the BBC that everyone needed to do a better job of understanding cybersecurity and the vulnerabilities of critical infrastructure. “The going in hypothesis is always that it’s just an incident or coincidence,” she was quoted as saying in the news report. “And if every incident is seen in isolation, it’s hard — if not impossible — to discern a pattern or connect the dots. Failure to connect the dots led us to be surprised on 9/11.”
Additional reading and resources
American Water Works Association — Water sector cybersecurity risk management guidance, 2019. Link to report
Cybersecurity and Infrastructure Security Agency — Assessments: Cyber resilience review, 2020. Link to resource
Institute for Security and Development Policy — Climate change, environmental threats, and cybersecurity in the European High North, (Sandra Cassotta, 2020). Link to report
WaterISAC — 15 cybersecurity fundamental for water and wastewater utilities — Best practices to reduce exploitable weakness and attack, 2019. Link to report