Introduction
The terms “cybersecurity” and “environmental protection” aren’t typically used together. You might think of trees, clean air, or endangered species when you hear the phrase “environmental protection.” You might think of hackers, email scams, or identity theft when you hear the term cybersecurity.
So, what is the link between cybersecurity and environmental protection? There’s a lot more to it than meets the eye. Infrastructure is one of the most serious cybersecurity dangers to the environment. Take, for example, water infrastructure. Most municipal drinking water supplies in industrialised economies come from utility districts, which rely on huge infrastructure to capture, treat, and distribute drinking water.
Municipal water is then transported away via wastewater infrastructure, where it is treated before being returned to natural systems.
The drinking water and wastewater systems have one thing in common: they both require a lot of infrastructure. Pipelines, huge treatment facilities, and distribution networks are required to treat municipal water at both the consumption and disposal ends of the spectrum. Command and control centres link all of this infrastructure together. And those centres are all run on interconnected computer networks, which are exposed to a variety of security risks ranging from external hacking to malicious insiders.
The moral of the storey is that cybersecurity isn’t just a worry for the digital world. Having safe digital and information systems is equally crucial for the physical world, which is very real and very concrete.
The environment’s (and public health’s) health is becoming increasingly dependent on cyber command and control systems (which are controlled by computer networks). That means a cybersecurity failure could result in massive pollution events and critical infrastructure failure. Furthermore, cyber criminals compromising massive infrastructure would have a greater psychological toll (or social sentiment) on the public than what are now becoming commonplace data breaches affecting things like credit card accounts. Infrastructure hacks that harm the environment or public health would be much more expensive than just the physical damage.
This tutorial aims to give a broad overview of cybersecurity’s role in environmental protection. It will primarily focus on the function of cyber-physical systems’ command and control elements in protecting environmental health. However, the lessons acquired at the infrastructure level can easily be transferred to other networks and systems that contribute to environmental and public health protection.
The Environment and Cybersecurity
There are 153,000 public drinking water infrastructure systems and 16,000 public waste water districts in the United States alone, according to the Cybersecurity and Infrastructure Security Agency (CISA). Around 80% of residents in the United States acquire their drinking water from a public water system, while about 75% rely on municipal wastewater services.
The CISA list of National Critical Functions includes environmental services such as drinking water and wastewater. National Critical Functions (NCFs) are defined by the CISA as “government and private-sector functions so important to the United States that their disruption, corruption, or dysfunction would have a crippling effect on security, national economic security, national public health or safety, or any combination thereof.”
The list of NCFs is divided into four major categories:
- Connect — is a term that refers to information networks and the internet, as well as communications and broadcasting, as well as telecommunications and navigation services.
- Distribute — has to do with logistics and supply chains.
- Manage — refers to key services including election management and sensitive documents and information, as well as infrastructure, capital markets, medical and health facilities, public safety and community health, and hazardous materials and wastewater.
- Supply — relates to the distribution of fuel and energy, food, critical materials, housing, and drinking water.
Water supply and wastewater management are two of the four key types of infrastructure deemed vital to the continuous safe operation of local, regional, and national government, according to the CISA’s National Critical Infrastructure classification. Environmental infrastructure, such as water treatment plants, are desirable targets for cybercriminals such as ransomware seekers, disgruntled employees, and terrorists for this reason alone.
The magnitude of a possible infrastructure attack is similarly enormous. With the same amount of effort that it takes to hack one account or system, a cybercriminal might potentially influence the daily lives of millions of people through social engineering or insider attacks.
It’s worth noting that this type of critical infrastructure classification and designation isn’t restricted to the United States. The European Commission (the EU’s executive arm) also maintains a list of vital infrastructure, which includes drinking water and wastewater management as two of the most crucial systems to protect against attack or disruption.
Another parallel that can be drawn between environmental protection and sustainability and cybersecurity is that both are frequently viewed as issues that are subject to the “tragedy of the commons.” Like regulating the ocean or developing comprehensive climate change policy, cyberspace is seen as vast and poorly defined in terms of boundaries and responsibilities.
Most entities (in this case, companies, organisations, and people) only have a reactive or defensive posture when it comes to cybersecurity, much as most legal jurisdictions do not deal with concerns like carbon emissions, sea level rise, or ocean acidification proactively. At the moment, there isn’t much in the way of a proactive cybersecurity police force that acts in the public interest. The laws and procedures regulating cybersecurity best practises are proving difficult, just as environmental regulation and enforcement.
Cybersecurity Challenges to Environmental Protection Infrastructure: A Case Study
The first case study of a cybersecurity breach that could have an impact on the environment and public health was published in 2016. In some ways, this instance, in which authorities withheld numerous details in order to safeguard the investigation into the breach, serves as a fantastic example. The main reason for this is that it might have happened anywhere.
The attack was carried out by a group of hackers who were able to get access to the backend of a network that controlled a drinking water treatment plant. To mask identifying characteristics, this plant was given the name Kemuri Water Company in press sources (such as this one in Infosecurity Magazine).
Employees noticed strange behaviour in the company’s system’s programmable logic controllers at first. Computer programmes regulate the controllers, which are responsible for releasing predetermined amounts of chemicals at specified moments during the drinking water treatment process, among other things. The pace of drinking water flow from the plant was also hampered by the attack.
After some digital forensics by Verizon Solutions, which handled portions of the water treatment plant’s networking, it was revealed that hackers (apparently with connection to Syrian operations based on the IP addresses used) acquired access to 2.5 million ratepayers’ credit card and billing information. The assailants appeared to be for money and personal information, and it was unclear from the later investigations whether the assailants were even aware.
The second case study of cybersecurity hacking with environmental consequences resembles the first case study in certain ways. The majority of the information are shrouded in obscurity once again, although a few of media accounts provide a few peeks into the incident.
According to media reports, a group of hackers purportedly based in Russia infiltrated the computer networks managing drinking water infrastructure in two American communities in 2011. The first occurrence took place in an undisclosed city in Illinois, while the second took place in Houston, Texas.
To summarise the cyberattack, a hacker took control of a pump that distributes drinking water via a pipeline. The hacker repeatedly turned one of the pump’s valves on and off, causing the pump to break. Following the FBI and Department of Homeland Security’s investigation and comments, the hacker revealed that he or she (or they) had also acquired access to the South Houston Water and Sewer Department’s system, which was protected by a three-letter password.
It’s no accident that both of the above case studies were linked to hackers based outside of the United States. After being fired, unhappy employees of energy infrastructure corporations, including a nuclear reactor in Texas and offshore oil rigs in California, have hacked into proprietary systems to purposefully cause disturbances.
All of this is to suggest that infrastructure operators must account for and defend against multiple cybersecurity threats.
What Makes Cybersecurity Challenging with the Environmental Protection and Environmental Health Field?
Developing cybersecurity best practises in the environmental industry is difficult for a variety of reasons. To begin with, as previously stated, cybersecurity and environmental protection are not commonly related. Second, while critical infrastructure such as water and electricity systems are vital, they have never been subject to cyberattacks in the past. However, as more infrastructure becomes connected, the number of cyber attack surfaces continues to rise. Finally, in the past, bad actors have increasingly targeted environmental services or essential infrastructure as a strategy to multiply the effects of an attack by hurting social sentiment and public trust.
One of the most difficult aspects of adopting cybersecurity in the environmental domain is the requirement for a comprehensive and complete regulatory framework that is both tactical and surgical in nature. Individual environmental infrastructure operators should have considerable room to respond to specialised dangers and immediate incidents, ideally through regulation or rules.
Coming up with generally agreed-upon cybersecurity policies is difficult, as it is in other areas of environmental control. The problem is exacerbated by the fact that different drinking water and wastewater utilities (as well as other forms of infrastructure and environmental service providers) operate their systems using different types of technology and computer networks.
In other words, cybersecurity policy and best practise advice for infrastructure operators must be both specific and general in order to be effective and influential. Finding a happy medium is a difficult undertaking.
While some of the higher-level organisational and policy elements may appear out of reach for local drinking water and wastewater treatment plant operators, there are a few fairly basic things that can be done to assist protect environmental infrastructure against cyber attacks.
Some basic ideas are included in the Water Information Sharing and Analysis Center’s (additional information about this organisation can be found below) list of 15 Fundamentals for Water and Wastewater Utilities.
- Regularly assess the risks.
- User controls must be enforced (and password best practices)
- Physical access to digital infrastructure should be restricted.
- Create policies and processes for cybersecurity.
- Prepare for cyber-attacks and emergencies.
The Water Information Sharing and Analysis Center’s (WaterISAC) website has the whole list of suggestions.
Cybersecurity Solutions for the Environmental Field
Understanding all of the vulnerabilities encountered by environmental and infrastructure service providers is the first step in designing cybersecurity solutions for the cybersecurity area.
The good news is that a number of specialised companies are forming that are knowledgeable with and capable of dealing with the rise in cyberattack-related activity, especially as it relates to environmental infrastructure.
Here are a few instances of companies that are now reporting and investigating cyberattacks that are ecologically sensitive:
The Water Information Sharing and Analysis Center (WaterISAC) is a non-profit organisation situated in Washington, DC, that collaborates with the Environmental Protection Agency. The 2002 Bioterrorism Act established WaterISAC as an official information sharing and operations body. WaterISAC collects data on verified and suspected cyber events from water treatment and waste water treatment infrastructure operators.
The Cybersecurity and Infrastructure Security Agency (CISA) was established as a new governmental agency to address the growing threat of cyberattacks on infrastructure. The agency has a number of cybersecurity materials, as well as standards for reporting cyber incidents.
The American Water Works Association is a Denver-based nonprofit organisation dedicated to the water business. The organisation offers a variety of resources on cybersecurity protocol and best practises.
Preparing for and averting cyber attacks and cyber catastrophes will only grow more crucial in the long run. Lani Kass, a former adviser to the US Joint Chiefs of Staff on security issues, told the BBC that everyone needed to do a better job of understanding cybersecurity and the vulnerabilities of critical infrastructure after a cyberattack on water infrastructure in two American cities by hackers linked to Russia. In the news report, she was reported as saying, “The going in notion is always that it’s simply an occurrence or happenstance.” “And it’s difficult — if not impossible — to establish a pattern or connect the dots if each instance is seen in isolation. We were caught off guard on 9/11 because we failed to connect the dots.”
Additional Resources and Reading
American Water Works Association — Water sector cybersecurity risk management guidance, 2019.
Cybersecurity and Infrastructure Security Agency — Assessments: Cyber resilience review, 2020.
Institute for Security and Development Policy — Climate change, environmental threats, and cybersecurity in the European High North, (Sandra Cassotta, 2020).
WaterISAC — 15 cybersecurity fundamental for water and wastewater utilities — Best practices to reduce exploitable weakness and attack, 2019.
