Survey: Many water utilities lack data on IT, OT assets

Royalty-free stock photo ID: 748502299  Reverse osmosis system for water drinking plant.  N By NavinTar

More than 60% of water utilities say they have not fully assessed what assets comprise their IT networks and only a little more than 21% of those utilities said they are working to do so.

Further, roughly 70% said they have not fully identified all operational technology networked assets and fewer than a quarter are working to do so.

Those figures come from a new survey conducted by the Water Information Sharing and Analysis Center (Water-ISAC) that includes responses from more than 530 organizations.

The survey lands the same day that NBC News reported a hacker in January breached a San Francisco Bay Area water treatment plant and did it with relative ease: using a former employee's credentials for a popular remote work software program.

That incident, which was previously unreported, came just weeks before a water treatment plant in Florida made national headlines when it too was breached through an outdated operating system and vulnerable remote work software.

Of the hundreds of treatment plants that responded to the water ISAC survey, only four organizations confirmed a breach of their IT or OT systems in the past year, while dozens responded they were "not sure" if they had experienced an incident.

In the wake of the attack against Colonial Pipeline, House and Senate lawmakers have repeatedly questioned officials about whether the Cybersecurity and Infrastructure Security Agency should play a greater regulatory role for the natural gas and oil industry when it comes to cybersecurity.

As it stands, CISA only assists private companies when requested, and while recent legislation has given the agency some leeway in terms of administrative subpoenas, it still lacks regulatory powers beyond emergency directives issued for the federal government's civilian networks.

According to data compiled by CISA about the water industry and provided to FCW, roughly 10% of water utilities have reported a critical vulnerability and 40% reported a high vulnerability. Most vulnerabilities water plants have reported -- more than 80% -- were common vulnerabilities and exposures (CVEs) published prior to 2017. (The CISA data was first published in the NBC News story.)

The Water-ISAC published a list of six older CVEs for its members on June 17, saying it was "aware of several reports of threat actors leveraging multiple vulnerabilities to exploit unpatched systems in the water and wastewater sector."

About the Author

Justin Katz is a former staff writer at FCW.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected