What will it take to defend public water against cyber attacks?
Public water systems are exceptionally vulnerable to cyber attacks, senators said at a hearing of the U.S. Senate Committee on the Environment and Public Works on July 21.
The White House has ruled sixteen industrial sectors essential to the health, security economy and / or security of the country. Among them, the financial services sector has emerged with particularly robust defenses, while drinking water and sanitation systems are perhaps among the most poorly protected.
Water networks on both coasts have been hit by digital tampering attempts this year, in incidents that ultimately did not harm residents, but which nonetheless sounded the alarm about the IT readiness of public services. . Criminals broke into the systems of a California Bay Area water facility to shut down programs involved in treating drinking water, a former employee reportedly used remote access to shut down process of cleaning and disinfecting a Kansas water system, and hackers apparently tried to poison residents of Oldsmar, Fla., by increasing the amount of laundry used during water treatment – before staff neither detect nor cancel this attempt.
Beyond the obvious damage to residents directly affected, a successful attack on one of the country’s water supply operations could also spill over into other parts of society by disrupting industries that depend on water for their operations, said Representative Mike Gallagher, R-Wisc., co-chair of the Cyberspace Solarium Commission (CSC).
The public drinking water system is managed by a large number of public and not-for-profit entities, which sets it apart from some other critical infrastructure sectors dominated by large for-profit companies.
“The good news is that our water supply systems are fragmented and scattered. In other words, it’s not like the [consolidated] power grid where an adversary could destroy an entire region of the country, ”said Maine Senator Angus King, the other CSC co-chair. “The bad news is that because they are so fragmented – [there’s] 70,000 of them – rarely do [water agencies] have the means or the knowledge necessary to fully protect themselves. Thus, they can be removed one by one more easily.
Water utilities depend on paying customers to fund operations and cybersecurity measures, and resources can be particularly limited as the customer base shrinks. While some are funded by large urban populations, Sophia Oberton – special project coordinator for Delmar’s public works department – said some water utilities can support small trailer park communities of only 25 residents.
Agency use of technology and the specific cyber issues that result from it also tend to vary by size, with large departments using complex Supervisory Control and Data Acquisition (SCADA) systems, while that smaller agencies tend to have simpler tools. No size organization can believe itself to be completely free from cyber risk, but Oberton urged federal governments to consider these differences when introducing cybersecurity initiatives and avoid treating all agencies as if they operated in the same context.
Water agencies, especially smaller ones, are in dire need of more support to train their staff, get the latest cybersecurity information and adopt best practices, stakeholders said. Federal government funding and advocacy efforts could stimulate many of these areas, helping agencies learn about and implement cybersecurity practices and join existing support organizations.
Cyber security awareness has not traditionally been a priority for the public water sector. The hearing brought together representatives from three water utilities, who said they were unaware that cybersecurity training was required for drinking water operator licenses, but that e-skills training would be valuable.
A member of the American Public Works Association (APWA) Government Affairs Committee and Washtenaw County, Michigan Water Resources Commissioner, Evan Pratt recommended that the federal government provide “comprehensive” e-learning to existing public works personnel. Boston Water and Sewer Commission chief engineer John Sullivan stressed that one-off education efforts won’t work and must be repeated regularly to keep topics fresh in the minds of staff. He said his water agency provided training, but still suffered a ransomware attack in 2020 after an employee clicked on a malicious link.
STRENGTHEN EXISTING RESOURCES
You don’t have to start from scratch to fill training and threat intelligence gaps.
Sullivan – who is also chairman of the non-profit Water Information Sharing and Analysis Center (WaterISAC) – said entities like the Cybersecurity and Infrastructure Security Agency (CISA) provide a wealth of high-quality knowledge, and that WasterISAC is working already to extract the most relevant ideas and transmit them to its members. The association also connects members to resources, such as a specialist company that advised Boston on responding to its ransomware attack.
But membership comes at a cost that small, cash-strapped water agencies can’t always afford, and he suggested that the federal government fund membership fees for those entities and help publicize ICCS.
Well-established support programs can also be extended to bring cybersecurity training within the reach of small water utilities. Oberton said his own agency has benefited from the long-running federal Rural Water Circuit Rider program, which sees specialists visit water operators and provide on-site assistance and training on a variety of topics. The federal government could consider sending more cyclists to the circuit to provide community-specific cybersecurity training.
The water sector is not subject to specific federal cybersecurity requirements, stakeholders said. Sullivan said his agency was not required to declare that it had evaluated its own system and had a response plan.
Creating plans without testing them may not be enough to confirm that agency defenses will actually work as intended, King said, and pleaded for the required penetration testing.
Several stakeholders also said the federal government should step in with clearer advice to water agencies on how they can improve their defenses. Senator Sheldon Whitehouse, D-RI, attributed strong regulation of the financial system to the industry’s strong cybersecurity readiness, while Pratt recommended creating a set of voluntary national cybersecurity guidelines for water. For small water agencies, the voluntary nature may be the key, Oberton urging against strict rules that could divert the time of already limited staff to compliance work rather than other tasks.
“Further federal regulation on cybersecurity in the water supply is not the appropriate policy as local governments are eager to adopt the best cyber policies, ”she said in written testimony. “We need help, not law enforcement.”