What Will It Take to Defend Drinking Water from Cyber Attacks?
Public water systems are exceptionally vulnerable to cyber attack, said senators during a U.S. Senate Committee on Environment and Public Works hearing July 21.
The White House has deemed sixteen industry sectors as essential to the nation’s health, safety economy and/or security. Among them, the financial services sector has emerged with particularly robust defenses, while drinking water and wastewater systems may be among the most loosely protected.
Water systems on both coasts were hit by digital tampering efforts this year, in incidents that did not ultimately harm residents but which nonetheless raised alarm bells about the utilities’ cyber preparedness. Criminals broke into a Bay Area California water facility’s systems to delete programs involved in treating drinking water, a former employee allegedly used remote access to shut down a Kansas water system’s cleaning and disinfection processes and hackers seemingly tried to poison Oldsmar, Fla., residents by elevating the amount of the lye used during water treatment — before staff detected and reversed that attempt.
Beyond the obvious harm to directly impacted residents, a successful attack against any of the nation’s water operations could also ripple out to other parts of society by disrupting industries that depend on water for their operations, said Rep. Mike Gallagher, R-Wisc., co-chair of the Cyberspace Solarium Commission (CSC).
The public drinking water system is managed by a vast number of nonprofit and public entities, setting it apart from some of the other critical infrastructure sectors dominated by major for-profit companies.
“The good news is our water systems are fragmented and scattered. In other words, it’s not like the [consolidated] electric grid where an adversary could take down a whole region of the country,” said Maine Sen. Angus King, the CSC’s other co-chair. “The bad news is that, because they’re so fragmented — [there’s] 70,000 of them — rarely do [water agencies] have the wherewithal or the knowledge to fully protect themselves. So they can be picked off one at a time more easily.”
Water services depend on rate-paying customers to fund operations and any cybersecurity measures, and resources can be particularly tight as the pool of customers shrinks. While some are funded by large city populations, Sophia Oberton — special project coordinator for the Delmar Public Works Department — said that some water services may be supporting small trailer park communities of only 25 residents.
Agencies’ technology use and their resulting specific cyber concerns tend to vary with size as well, with larger departments leveraging complicated supervisory control and data acquisition (SCADA) systems, while smaller agencies tend to have simpler tools. No size of organization can believe itself fully free of cyber risk, but Oberton urged federal governments to be mindful of such differences when introducing cybersecurity initiatives and to avoid treating all agencies as if they operate in the same context.
Water agencies, especially smaller ones, largely need more support in training personnel, getting the latest cybersecurity information and adopting best practices, speakers said. Federal funding and promotion efforts could boost many of these areas, helping agencies learn about and implement cybersecurity practices and join existing support organizations.
Cybersecurity awareness has not traditionally been a focus for the public water sector. The hearing brought together representatives of three water services, who said they were not aware of cybersecurity training being required for any drinking water operator licenses, but that cyber skills training would be valuable.
American Public Works Association (APWA) Government Affairs Committee member and Washtenaw County, Mich., water resources commissioner, Evan Pratt recommended the federal government provide “comprehensive” cyber training to existing public works personnel. Boston Water and Sewer Commission chief engineer John Sullivan emphasized that one-and-done education efforts will not work and must be regularly recurring to keep the topics fresh in staff’s minds. He said his water agency provided training but still suffered a ransomware attack in 2020 after an employee clicked a malicious link.
BOOSTING EXISTING RESOURCES
Filling the training and threat intelligence gap doesn’t require starting from scratch.
Sullivan — who is also chair of the nonprofit Water Information Sharing and Analysis Center (WaterISAC) — said that entities like the Cybersecurity and Infrastructure Security Agency (CISA) provide a wealth of high-quality knowledge, and that the WasterISAC already works to extract the most relevant insights and push them out to its membership. The nonprofit also connects members to resources, such as a specialist firm that advised Boston in responding to its ransomware attack.
But membership comes at a cost that cash-strapped small water agencies cannot always afford, and he suggested the federal government fund these entities’ membership dues as well as help publicize the ISAC.
Well-established support programs can also be expanded to put cybersecurity training in easy reach of small water services. Oberton said her own agency has benefited from the long-running federal Rural Water Circuit Rider program, which sees specialists visit water operators and provide on-site assistance and training in a variety of topics. The federal government could consider sending more circuit riders to provide community-specific cybersecurity training.
The water sector is not held to specific federal cybersecurity requirements, speakers said. Sullivan said his agency is only required to self-report that it has evaluated its own system and had a response plan.
Creating plans without putting them to the trial can fall short of confirming that agencies’ defenses will actually work as intended, King said, and advocated for required penetration testing.
Several speakers also said that the federal government should step in with clearer advice to water agencies on how they can improve their defenses. Sen. Sheldon Whitehouse, D-RI, credited robust financial system regulations for that sectors’ strong cyber preparedness, while Pratt recommended creating a set of voluntary national cybersecurity guidelines for water. For small water agencies, the voluntary nature may be key, with Oberton urging against strict rules that could divert already-limited staff time to compliance work rather than other tasks.
“Additional federal regulation of cybersecurity in water supplies is not the appropriate policy because local governments are eager to adopt the best cyber policies,” she said in written testimony. “We need help, not enforcement.”