May 9, 2022 | CyberSecurity Magazine

It’s Time to Secure the Water Sector from Cyber Threats

May 9, 2022 | CyberSecurity Magazine

It’s Time to Secure the Water Sector from Cyber Threats

The Biden administration is reportedly considering a first-ever integrated action plan for global water security, linking global access to clean, reliable water to U.S. national security for the first time. At home, the linkage between national security and security of the water and wastewater sector is self-evident by its very definition as critical infrastructure. Yet decades of chronic underinvestment and under-resourcing of federal support to the industry has left this life-supporting and life-sustaining infrastructure vulnerable to cyber threats.

The Environmental Protection Agency (EPA) provides federal support and technical assistance to the nation’s water and wastewater sectors as a sector risk management agency (SRMA). These responsibilities include helping to secure the sector against cyber threats. However, for decades, the EPA has not been sufficiently organized or resourced to provide the support the sector needs, my colleague and I concluded in a Foundation for Defense of Democracies report published at the end of last year. The federal government has too often used a “top-down, one-size-fits-all approach” to cybersecurity, which does not adapt to the unique risks, threats, and vulnerabilities that water organizations face. Building on the work of the congressionally mandated Cyberspace Solarium Commission, we analyzed how insufficient federal support and oversight combined with insufficient industry understanding of the threat has culminated in the water sector’s cybersecurity woes.

Securing the U.S. water sector against natural and manmade threats is not easy. The U.S. currently has approximately 52,000 drinking water and 16,000 wastewater systems, most serving communities with fewer than 50,000 residents. These systems operate with limited budgets overseen by even more limited cybersecurity personnel and expertise. Providing adequate federal support and oversight of these distributed networks is inherently difficult, but it is not impossible. It requires getting the right experts around the table, as detailed in the FDD report’s policy recommendations and subsequent model legislative text.

To date, the U.S. government has failed to bring the right people around the table to improve the cybersecurity of the water sector. “There are no water sector cybersecurity experts in the federal government,” industry representatives warned bluntly, yet the government has pressed ahead on flawed proposals that lack sector buy-in. Stakeholders from the water sector have criticized EPA’s plan to use sanitation surveys to apply new cybersecurity controls, saying that it is not the right tool for the job. Industry representatives also expressed caution about the EPA’s 100-day initiative safeguarding Industrial Control Systems, noting that it focuses only on actions that can be taken quickly by larger utilities. Other experts questioned whether the sector – and other critical infrastructure sectors – will benefit from the visibility and information the federal government will gain.

Rectifying the problems associated with the cybersecurity of U.S. water infrastructure requires increasing government resources to better support the sector and closer collaboration between the government and industry. Congress can take the first step by increasing EPA budget to ensure that the agency has the staff and funding to fulfill its responsibilities as an SRMA. Congress will also need to set aside funding in existing grant programs to ensure that climate change and natural disaster mitigation funding do not crowd out cybersecurity investments.

Meanwhile, ensuring that rural water systems are not left behind can be achieved with a relatively modest increase in funding for the Rural Water Circuit Rider program. Currently, 147 circuit rider experts provide traveling technical support to the almost 70,000 U.S. rural water organizations around the country in 49 states and Puerto Rico. The program offers a critical service for small water organizations, but the current Circuit Riders cannot assist all the water organizations that need their help. Congress should increase funding to expand the Circuit Rider program by 50 cybersecurity experts. While 50 will not completely mitigate the Circuit Rider program’s capacity shortfalls, it is a step in the right direction to help protect the most vulnerable water organizations.

The most significant step in better public-private collaboration would be a joint industry-government voluntary, regulatory program for cybersecurity in the water sector. Mirroring the successful example in the electricity subsector, this partnership should be led by experts in the water industry so that they can identify the technical standards needed to regulate the sector. The government can then provide support for those standards and together they can help ensure that a baseline of cybersecurity readiness is met.

The Biden administration’s goal of a clean and reliable global water supply as an issue of national security is commendable. Poor cybersecurity in the water sector not only imperils health and human safety, but it also impacts national security and our economic stability. It is vital that the United States pursue effective public-private collaboration that ensures a clean and reliable water supply at home, so that America can lead by example while helping international partners to ensure a sustainable global water supply.

Trevor Logan is a research analyst at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). For more analysis from Trevor and CCTI, please subscribe HEREFDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.