Recent hacks on localities’ water supply have shown the importance of cybersecurity in the water infrastructure. Witnesses sounded the alarm about water infrastructure cybersecurity and called for training and funding investments at a July 21 Senate Environment and Public Works Committee hearing.
Witnesses from both the Cyberspace Solarium Commission and local municipalities’ public works departments said there are still deficiencies in both cybersecurity training and funding. Meanwhile, the water infrastructure remains one of the least secure critical infrastructures.
“The 16 critical infrastructure sectors are not equally equipped when it comes to cybersecurity there are leaders like the financial services sector, and there are quite frankly laggers,” Cyberspace Solarium Commissioner Rep. Mike Gallagher, R-Wis., told the committee. “Despite the importance of our water systems, the water and wastewater infrastructure sector lags behind many of its peers, posing a risk to our public health and safety.”
This is not the first time the commission has raised the issue of water infrastructure cyber insecurity. In addition to a March 2020 report it sent to Congress raising the issue, other members of the commission raised the issue again at an event this May.
It is a view shared by the Water Information Sharing and Analysis Center (ISAC) as well, with an April 2021 study finding that water system cybersecurity not only needs additional work to build cybersecurity into its risk assessments and called for Federal help securing the sector.
“I once appeared before a middle school group with my friend Stephen King … and a little girl raised her hand and said, ‘Do you ever have nightmares?’” fellow commissioner Sen. Angus King, I-Maine, told the committee. “Stephen King’s response was, ‘No, I give them to you.’ That’s my job today. To give you a nightmare about the vulnerability of our water systems. This is an extremely dangerous situation.”
“I believe that the next Pearl Harbor, the next 911 will be cyber, and we are facing a vulnerability in all of our systems, but water is one of the most critical and I think one of the most vulnerable,” King continued. “This has to be a sustained effort, there’s no single solution. … We’ve got to continue to up our game because our adversaries are upping their game.”
King said the fragmentation of the country’s water systems represents both positives and negatives. The positive is that unlike in critical infrastructure like the power grid, a threat actor cannot take down an entire region at once. However, the fragmentation of the sector also means facilities “rarely have the wherewithal or the knowledge … to fully protect themselves,” King said.
More training, more funding
Witnesses who operate and oversee water treatment facilities on a daily basis raised similar concerns and called for more cybersecurity training and more cybersecurity funding to better secure the sector from attacks.
Sophia Oberton, the special projects coordinator for the Town of Delmar – which exists in both Delaware and Maryland – has called for any infrastructure help to be assistance-based. Oberton noted that supporting small communities should be in the public interest since 91 percent of water systems serve towns of less than 10,000 and those areas need technical assistance to support and protect water infrastructure.
“We need help in the form of technical assistance on how to best implement the newest and most advanced cyber protection actions for our specific water infrastructure as opposed to a regulatory construct. Additional federal regulation of cybersecurity in water supplies is not the appropriate policy because local governments are eager to adopt the best cyber policies,” Oberton said in written testimony. “We need help, not enforcement.”
Despite holding Class 4 water operating licenses in both states, Oberton said cybersecurity was never a part of her training. She was not alone in that experience, as Evan Pratt, the water resources commissioner for Washtenaw County, Mich., recounted a similar experience.
“I have gone to lots of training [and] given lots of training with various professional organizations. I’ve never attended a cybersecurity class, and I can’t recall seeing one on an agenda,” Pratt told the committee. “Perhaps they are out there, but it is not typically required in licensure situations that I’m familiar with.”
In addition to calls for funding for cybersecurity training and system reviews, Jake Sullivan, the chief engineer for Boston Water and Sewer Commission, stressed the importance of the Water ISAC to the industry. Sullivan said additional funding would allow the Water ISAC to increase outreach and aid in the compilation of available information.
“We would work with our partner agencies EPA (Environmental Protection Agency), et cetera, to identify all the agencies that needed us,” Sullivan, who also chairs the Water ISAC, said. “We would take that information they have and boil it down so it’s understandable to our audience. [The Water ISAC] puts out a ton of information all over the place … we would take it and make it so that people would understand it, how it impacts this system.”
“With that knowledge, we would do additional training,” Sullivan continued. “We would have the training that’s available already … so that we could publicize that to them. Not every operator knows all of this is out there so we would centralize it.”
While the hearing painted a bleak picture of the current state of the cybersecurity of the water infrastructure sector, members of the committee expressed willingness and urgency to send the sector help. As the bipartisan infrastructure package is still being hammered out, this is an area to keep an eye on.