Most recent cyber attacks on water systems won't be the last, says cybersecurity expert

More government agencies are taking steps to shore up their cybersecurity measures. Earlier this week, the Environmental Protection Agency announced it would step up inspections of water facilities that may be vulnerable to cyberattacks.

Why are government agencies more at risk when it comes to cyberattacks and operational vulnerabilities?

Lee McKnight is an associate professor in the Syracuse University School of Information Studies (iSchool) whose research specialty includes cybersecurity.

"With state-sponsored actors taking advantage more frequently of outdated to non-existent water supply security practices, it is refreshing—like a glass of (clean) water—that the EPA and CISA have begun to raise the alarm. The fact that 70% of water systems upon inspection failed to demonstrate their ability to maintain basic cyberhygiene is regrettable, but far from shocking.

"It is overdue for the public and private sector organizations supplying and supporting water systems to take these threats seriously. Even if the nightmare worst case scenarios have not happened at scale, the entire sector has to prioritize cybersecurity, just as oil pipelines belatedly did after the successful ransomware attack on the Colonial Pipeline several years ago precipitated.

"In the case of water supplies, the risks are more local but can be no less devastating if their operational technology is breached.

"Sending the sector's IT workforce back to school—or at least scaling up online sector-specific training programs—is long overdue. Beyond 'IT' workers, the wider workforce must have more opportunities for training in basic cyberhygiene as well.

"Since now that it is widely known that cyber-attackers have a 70% probability of finding a soft target when going after a water system—unfortunately, we know the most recent successful cyberattacks on water systems will not be the last."