The U.S. Environmental Protection Agency (EPA) and WaterISAC recognized that UASs (unmanned aerial systems), or drones, can pose significant threats to critical infrastructure, due to their accessibility, versatility, and potential for misuse. These threats can range from unauthorized surveillance, physical attacks, and even cyber attacks. Drones have revolutionized the critical infrastructure sector by enabling efficient and cost-effective inspections, reducing the need for manual labor and minimizing safety risks associated with hazardous environments, while providing real-time data and high-resolution imagery, allowing for more accurate monitoring and maintenance of infrastructure assets, leading to improved operational efficiency and reduced downtime.
In the latest quarterly edition of the National Security Information Sharing Bulletin (ISB), the agencies warn that the heightened threat environment is increasing operational risks for water and wastewater utilities across the full spectrum of hazards, from cyberattacks to physical security threats and natural disasters. The issue underscores how emerging technologies are reshaping the risk landscape, while also outlining recent cybersecurity concerns for utilities and recommending measures to strengthen defenses.
“Drones equipped with high-resolution cameras or sensors can gather detailed information on sensitive infrastructure assets. Malicious actors could use this data to identify weak points for sabotage or other physical attacks,” according to the bulletin. “For example, drones could map security perimeters, monitor guard schedules, or detect unprotected access points. The risk of malicious actors using drones to attack a water utility’s hazardous chemical supply is also a growing concern.”
The bulletin highlighted that in a “recent incident reported to WaterISAC, a very large combined utility reported a significant burglary where multiple thieves broke into its water treatment plant and stole tens of thousands of dollar’s worth of copper and other equipment. The utility reported that drones were spotted above the facility prior to the security breach, likely being used to facilitate the theft.”
The WaterISAC-EPA bulletin comes as cyberattacks on water infrastructure escalate worldwide. Just last week, Norway’s Police Security Service (PST) confirmed that pro-Russian hackers seized control of a dam in Bremanger, western Norway, in April, opening a floodgate and letting water flow undetected for four hours. PST described the breach as a deliberate show of Moscow’s ability to remotely compromise critical infrastructure.
In the wake of that disclosure, Polish officials revealed that a cyberattack nearly shut down the water supply to a major city on Wednesday. The attempt was thwarted, Deputy Prime Minister Krzysztof Gawkowski said, without naming the attackers or the city that was targeted. “At the last moment, we managed to see to it that when the attack began, our services had found out about it and we shut everything down,” Gawkowski said. “We managed to prevent the attack.”
Polish authorities have repeatedly warned that the country’s role as a hub for Western aid to Ukraine makes it a priority target for Russian cyber operations and sabotage. Gawkowski has previously described Poland as the ‘main target’ for Russia among NATO members.
The WaterISAC-EPA bulletin detailed that during the Russia-Ukraine conflict, physical attacks using UASs presented an ever-increasing risk. Drones can carry payloads like explosives or chemicals to damage facilities, equipment, or vehicles. Even small, commercially available drones can significantly disrupt operations by crashing into critical equipment, such as pumps or control systems. Commercially available drones can also be modified using 3D printed material to drop explosive devices or other materials.
Mitigating these threats may require robust countermeasures like anti-drone systems, enhanced surveillance efforts, restricted airspace designations, and employee training.
To complicate matters, the world’s largest drone manufacturer, DJI, decided in January this year to eliminate geofencing on its drones in the U.S., replacing automatic no-fly zone restrictions with optional enhanced warning zones. This raises concerns about the increased risk to critical infrastructure from potential unauthorized drone flights.
The bulletin mentioned that critical infrastructure sectors, such as water and energy, are highly interdependent, where a disruption in one can cascade across others, amplifying impacts. In today’s dynamic threat environment, effective coordination and resilience planning across these sectors are essential to mitigate risks and ensure operational continuity. Drones are now an aspect of everyday life, necessitating that critical infrastructure organizations plan to mitigate potential threats.
Earlier this month, the Federal Aviation Administration (FAA) within the U.S. Department of Transportation (DOT) and the Transportation Security Administration (TSA), part of the Department of Homeland Security (DHS), rolled out a notice of proposed rulemaking (NPRM) to address performance-based regulations to enable the design and operation of UAS at low altitudes beyond visual line of sight (BVLOS) and for third-party services, including UAS Traffic Management (UTM), that support these operations.
Operators and service providers are now expected to develop their cybersecurity standards rooted in the NIST cybersecurity framework for conducting risk assessments, while also embedding secure-by-design principles into their systems and practices.
