Setting Up Secure Water Treatment Plants

Blog / Setting Up Secure Water Treatment Plants

The Dangers of Unsecured Water Treatment Plants

Water treatment plants are everywhere. That’s because there are serious challenges involved in transporting water. For one, it flows downhill easily, but sending it uphill is a different story and requires pipes, pumps, and the energy to run them. Pipelines are expensive and impractical, and there are plenty of other issues when it comes to transporting large quantities of water long distances. Of course, the difficulties of water transportation aren’t actually the point of this newsletter. Just keep in mind that due to the distance, most municipalities, even small towns, often need their own treatment plants.

Clean water is an absolute necessity of life, which means water treatment plants are considered critical infrastructure. Unfortunately, that importance also makes them a tempting target, especially for cyberattacks. In fact, the US government recently advised state governors about a massive increase in attacks on water treatment infrastructure. And although it’s true that the US and Canada are not the same jurisdiction, we’re usually considered one and the same insofar as hackers and enemy states are concerned. Besides, on the internet there are no borders, only IP addresses.

It should come as no surprise there are plenty of regulations governing water treatment plants. Lots of them. There are regulations outlining how to treat water, how to test it to ensure the resulting water is safe to drink, and even how to deliver it. There’s also a lot of rules regarding environmental protections and ensuring the surrounding environment remains unharmed, water is conserved, properly qualified people are employed to run the plant, and so on, from both federal and provincial governments. These are fairly large documents with rules regarding almost every topic related to water treatment.

Enabling remote access to water treatment equipment is commonplace for utilities because dispersing contractors across the province for 15 minutes of work isn’t cost effective. So what sort of rules exist regarding network and computer security in water treatment plants? Well, I said “almost every topic” for a reason; there’s essentially no substantial regulation when it comes to cybersecurity for water treatment plants. Maybe it wasn’t considered important when the latest revisions were drafted, or perhaps security concerns weren’t as important compared to environmental and safety issues, or maybe it’s considered just too complex a subject? I can’t say. What I can say is that when it comes to cybersecurity issues like setting up remote access to water treatment equipment, there are almost no rules, and what few are on the books aren’t exactly comprehensive. This doesn’t mean that doesn’t mean every water treatment plant’s network is an unsecured nightmare all the time; just most of it.

Unauthorized access to water treatment plants can result in tens or hundreds of thousands of dollars in damaged equipment, not to mention people getting sick or even dying. Remote access therefore needs to be taken seriously, not simply given over to whatever methods a contractor or company asks for. Remember that responsibility for what happens when an attacker gains access to your equipment, particularly if due to substandard security, falls on your organization.

If your municipality or utility company would like help setting up secure remote access options for important equipment, contact TRINUS and we’ll be happy to help out with some stress-free IT.

This Shakespeare quote comes from The Taming of the Shrew: “There’s small choice in rotten apples.”


Be kind, courtesy your friendly neighbourhood cyber-man.

/Partners /Systems /Certifications

TRINUS is proud to partner with industry leaders for both hardware and software who reflect our values of reliability, professionalism and client-focused service.