17837_Authority_Oct

6 The Authority | October 2024 P reventing a D igital F lood : C yber I nsurance for P ennsylvania W ater & S ewer S ystems By Evan Ridington, Arthur Hall Insurance T he integration of digital technologies in water and sewer systems has greatly improved efficiency and monitoring capabilities. However, this digital transformation has also exposed these critical infrastructures to cyber threats. In recent years, water and sewer systems have become prime targets for cyber-attacks, making it imperative for utilities and authorities to address known vulnerabilities and bolster their cybersecurity defenses. In 2023, the Aliquippa water authority experienced a cyberattack allegedly tied to a pro-Iran hacking group (Stanish, 2023). Another local government in Butler County, was hit by a cyberattack that compromised the personal information of thousands of residents (Guise, 2024). Another water authority near Pittsburgh had an incident involving an Iranian- affiliated hacker targeting critical infrastructure, including a water treatment facility. The attack aimed at causing reputational damage rather than specific operational disruptions (Perrone, 2023). A hacker gained remote access to the Florida’s Oldsmar water treatment plant’s SCADA system and attempted to increase the levels of sodium hydroxide (lye) in the water supply to dangerous levels (Bergal, 2021). The incident highlighted the vulnerabilities in smaller municipal water systems. In March 2021, the San Francisco Bay Area’s water treatment facilities were targeted by a ransomware attack. The hackers encrypted data and demanded a ransom to restore access (Collier, 2021). A former employee of a Kansas water treatment facility was indicted for remotely accessing the plant’s SCADA system and shutting down key processes, intending to cause harm (Vockrodt, 2021). This article explores these vulnerabilities and offers strategies for enhancing cybersecurity, highlighting the role of cyber insurance in mitigating the impact of potential breaches. Known Vulnerabilities in Water and Sewer Systems Water and sewer systems are increasingly reliant on Supervisory Control and Data Acquisition (SCADA) systems, which monitor and control industrial processes. While these systems are essential for operational efficiency, they also present significant cybersecurity risks. Common vulnerabilities include: Legacy Systems: Many water and sewer systems rely on outdated hardware and software that lack modern security features. These legacy systems are often incompatible with current cybersecurity solutions, making them vulnerable to attacks. Lack of Network Segmentation: Inadequate network segmentation allows attackers to move laterally across systems once they gain access. This can lead to widespread disruptions and data breaches. Insufficient Employee Training: Employees who lack proper training in cybersecurity best practices may inadvertently expose systems to threats through actions such as clicking on phishing emails or using weak passwords. Inadequate Patch Management: Delays in applying security patches can leave systems exposed to known vulnerabilities, providing an easy target for cybercriminals. Remote Access Vulnerabilities: With the increasing use of remote access for monitoring and control, securing these connections is crucial. Insecure remote access points can be exploited to gain unauthorized access to critical systems. Cyber insurance provides losses, resulting from cyb breaches, system downti