The German IT Security Act labels the following installations as ‘critical infrastructures‘: the pipelines and sewers for water supply and wastewater disposal, along with all the technical equipment required to provide drinking water or industrial process water, and drain and treat wastewater. They are especially worthy of protection because of their important contribution to services of general interest, in other words basic services for the population. As digitalisation progresses, these infrastructures of critical importance are becoming still more ‘vulnerable’ because, like all smart applications, they are exposed to cyberattack.
“We are seeing how the expert debate on Water 4.0 is failing to take adequate account of the digital system’s susceptibility to both targeted sabotage and cyberattack, and to human and technical error“, says water expert Martin Zimmermann from ISOE – the Institute for Socio-Ecological Research. “It is above all the many small companies in the field of urban water resources for whom digitalization poses major problems, as such utilities are unable to meet the high demands posed by IT security and data protection.” This also explains the hesitancy among smaller companies to go with the trend towards smart, networked, and automated water supply and disposal systems with a strong customer orientation.
Cyber criminality in the water sector – threat scenarios for man and nature
Martin Zimmermann is convinced: “Unfortunately, the government bodies responsible have long concentrated on the large plants and catchment areas. But in Germany especially, urban water resources are organised very much at local level, and so it is vital that in future the regulations governing the protection of critical infrastructures also take into account the needs of the small and medium-scale companies. After all, the spectrum for potential security failures down to targeted cyber criminality is considerable.
The so-called vulnerable components of the water supply include all areas of urban water resources, from water catchment and treatment through water distribution down to wastewater disposal. “Attempts at manipulation are fundamentally possible in all these areas of urban water resources”, says Manfred Zimmermann. Obvious examples are the manipulation of raw water extraction from groundwater, lakes or dams, or attacks on water treatment processes at water utilities. Pump failure can also lead to problems with water distribution.
Other possible scenarios are targeted cyberattacks on specific sectors or limited areas. Financial districts such as that in Frankfurt or internet hubs and data centres whose cooling systems depend on water are conceivable in this context. The supply of water to residential and office blocks by private service providers must also be seen as critical. The outsourcing of operation and maintenance to external facility management providers opens up a further cyber security gateway. “Generally speaking, manifold threat situations exist for society and nature”, says Martin Zimmermann. “In both cases, a total failure of water supply and water disposal, or indeed a temporary malfunction of individual components, can result in quite different risk situations and degrees of magnitude depending on the scenario."
Improve the IT Security Act now
Martin Zimmermann and his co-authors therefore point out in their article on urban water resources in the digital era, ‘Siedlungswasserwirtschaft im Zeitalter der Digitalisierung‘ (TATuP 29/1 2020), how the imminent amendment to the German IT Security Act is a good time to factor in the security problems of the smaller companies.
Since cyber security is the ‘Achilles heel when it comes to the digitalisation of urban water resources’, the ISOE authors also advise the smaller companies to cooperate with each other. “If not all water supply and wastewater disposal companies are able to build up IT expertise of their own, cooperation between several small companies could be a good means of creating synergy effects. This way they could support each other in matters of cybersecurity”, says Martin Zimmermann.
Zimmermann, Martin/Engelbert Schramm/Björn Ebert (2020): Siedlungswasserwirtschaft im Zeitalter der Digitalisierung. TATuP 29 (1), 37-43