Fitch Ratings is warning that cyberattacks could pose a risk to water and sewer utilities potentially impacting their ability to repay debt.
Fitch Ratings Inc. is an American credit rating agency and is one of the “Big Three credit rating agencies”, the other two being Moody’s and Standard & Poor’s. It is one of the three nationally recognized statistical rating organizations (NRSRO) designated by the U.S. Securities and Exchange Commission in 1975.
Fitch Ratings published an alert last week to warn of the “material risk” to water and sewer utilities caused by cyber attacks that could also impact their ability to repay debt.
The agency evaluated the resilience of water and sewer utilities to unexpected events, including cyberattacks, which could pose financial and operating risks, and even credit quality of the critical infrastructure.
“Event risks like cyberattacks are considered asymmetric risks per Fitch’s criteria, and are viewed through the lens of the response of management and sufficiency of governance systems and protocols to deflect or absorb the risk.” reads the alert published by Fitch Ratings. “Fitch assesses a utility’s financial flexibility and its relative capacity to repay debt and other liabilities. Therefore, unexpected costs related to cyber breaches could weaken liquidity metrics and constrain a utility’s overall financial profile assessment per Fitch’s criteria. Emergency efforts to combat cyberattacks could reduce cash reserves and/or increase operating expenses, decreasing funds available for debt service.”
An incident response could have a significant impact on the cash reserves. The expenses to mitigate a cyber-attack could impact the ability of the utilities of paying their debt.
A cyber attack could also cause the loss or corruption of customer data, impacting the ability to read meters or access billing systems. An incident could reduce customer confidence and could affect the ability to raise rates. The alerts also states that the administration of the utility could face unexpected financial losses due to regulatory action or lawsuits from constituents.
“The loss or corruption of customer data, electronic files and accounts that leads to the inability to read meters or access billing systems and reduces customer confidence could affect the ability to raise rates. Loss or corruption of data could also hamper the ability of a utility to monitor its own systems and provide timely and quality data to regulators and customers.” continues the alert published credit rating agency. “Utilities could face possible regulatory action for violation of regulations or lawsuits from other constituents, both of which could result in unexpected financial burdens.”
Credit rating agencies assess the capacity for utilities to repay their debt and cyber attacks could impact it.
Technology investment, including solutions to defend utilities from cyber attacks, would expect to play a crucial role within the capital improvement plan of critical infrastructure.
“Capital improvement plans may need to be revaluated or expanded in the aftermath of an attack, resulting in increased capital pressures on systems.” concludes the alert. “Fitch also includes cybersecurity in its analysis of the sector and as part of its corporate-wide environmental, social and governance (ESG) framework. Cyber risk is both a social risk in terms of safety and security, as well as a governance risk in terms of management effectiveness. A utility’s ESG Relevance Score would be elevated if cyber risk were deemed to be material to the rating.”
Unfortunately, cyber attacks against water utilities represents a real risk.
In February, an attacker attempted to raise levels of sodium hydroxide, also known as lye, by a factor of more than 100, in Oldsmar’s water supply. The city’s water supply was not affected because a remote supervisor noticed the anomalous change in the concentration of the chemical substance and reverted it.
In October 2018, Onslow Water and Sewer Authority (aka ONWASA), a water utility in the US state of North Carolina suffered a severe ransomware attack in the week after Hurricane Florence hit the East Coast of the U.S.
According to the Onslow Water and Sewer Authority (aka ONWASA) some internal systems were infected with the Emotet malware, but the regular water service was not impacted.
In April 2016, the Lansing Board of Water & Light (BWL) utility shut down systems, phone lines in response to a ransomware-based attack.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine