IADB publishes cybersecurity study on water infrastructure in Latin America and the Caribbean

22 May 2023 by The Water Diplomat

Source of Innovation, a partnership promoted and co-financed by the Interamerican Development Bank (IDB), has carried out a study on cybersecurity trends in the water and sanitation sector of Latin America and the Caribbean (LAC). The study involved an assessment of LAC’s water and wastewater infrastructure ‘cybersecurity readiness’ and presents key recommendations for public and private sector actors to increase their organization’s overall cyber resilience.

In the past decades, various kind of urban services have made a transition to digital data to improve the efficiency and effectiveness of management systems – improving data availability, reducing operating costs and assisting external communications. However, this process also opens the sector to vulnerabilities including activities of malicious actors and cyberattacks.  Water utilities around the world have been exposed to cyberattacks of various kinds, ranging from ransomware to manipulating vales and flow operations. In response to attacks on utilities amongst others in California, North Carolina, Florida, Kansas and Puerto Rico, The U.S. Environmental Protection Agency (EPA) has in March this year required states to assess the cyber security capabilities of their drinking water systems. In the U.K., a water utility in South Staffordshire suffered an attack on its IT systems.

The cyberattacks can originate from different kinds of groupings: attacks from sovereign states, cybercriminals seeking financial gains, terrorists, ‘hacktivists’, etc. In LAC, the study mentions that the most prominent threats are currently financially motivated and take the form of ransomware or malware attacks. The study notes a rapid increase in these attacks over time and proposes a range of responses to enhance the protection of the sector against this form of crime.

The first such response is at the policy level, requiring national, subnational, and local level actors to develop a vision on cybercrime and develop clear policy goals in response. Secondly, the water and sanitation need to be classified as critical infrastructure by law, which is something that most states have not yet done. Thirdly, partnerships need to be developed with actors in society to incorporate the cyber knowledge in the private sector and come up to speed with best practices. Fourth, internal management culture needs to be adapted to incorporate cyber awareness. And fifth, practical steps need to be taken internally to respond adequately, such as mapping risks, identifying and protecting vulnerable devices and systems, preparing for incident responses and implementing security requirements.