New FDD Report Illustrates Systemic Failures by Government and Industry to Protect the Nation’s Water Infrastructure from Cyberattack

Washington, D.C., November 18, 2021 – Cyberattacks against United States water infrastructure threaten national security, economic stability, and public health and safety. But the federal government is not properly organized and resourced to support this critical infrastructure sector despite Washington’s responsibility to help identify and mitigate cyber threats and vulnerabilities, according to a new report by the Foundation for Defense of Democracies (FDD).

In “Poor Cybersecurity Makes Water a Weak Link in Critical Infrastructure,” authors RADM (Ret.) Mark Montgomery and Trevor Logan detail the challenges confronting the nation’s water supply from U.S. adversaries and recommend the steps that utilities and the federal government—both Congress and the White House—should take to mitigate what has become a significant national security vulnerability.

“The cybersecurity of the water sector is a weak link in U.S. national infrastructure, imperiling health and human safety, national security, and economic stability,” the authors write. “It is critical that the United States develop an effective public-private collaboration that ensures reliable, resilient water infrastructure. This will require action and investment both by water utilities and by the federal government.”

Montgomery, who served as executive director of the congressionally mandated Cyberspace Solarium Commission, where he remains a Senior Advisor, is a senior fellow at FDD and senior director of its Center on Cyber and Technology Innovation (CCTI). Logan is a CCTI research analyst specializing in state-sponsored hacking groups, cyber deterrence, and cyber strategies.

Montgomery and Logan find that the Environmental Protection Agency (EPA), the federal agency responsible for providing support and technical assistance to secure the nation’s water and wastewater sector against physical and cyber threats, is not properly postured to help the water sector succeed in this challenging environment. “Over the past 20 years, the EPA has not been organized or resourced to identify, develop, and support the necessary cybersecurity practices, resources, and tools that the water sector needs to succeed,” Montgomery and Logan write.

Industry also bears responsibility for the fragility of the sector’s cybersecurity posture, but with the majority of the nation’s 70,000 water and wastewater systems servicing less than 50,000 residents, water utilities face systemic challenges to sufficient investment in cybersecurity. “In a time of increased cyberattacks against water critical infrastructure, this means that the battlefield to defend the fathomless number of networks is left to small organizations, often on an equally scant budget,” the authors write. “Without robust help from the federal government, many of these organizations cannot defend themselves effectively.”

Recognizing the important work that industry groups are doing in the absence of a well-funded and mission-focused EPA, the authors urge a more robust public-private partnership. “Government and industry must work together to improve the water sector’s cybersecurity. This will require enhanced public-private collaboration, expanded assistance from the federal government, and increased federal oversight of the sector.”

Montgomery and Logan offer several specific recommendations for Congress and the White House, including:

• Resourcing and empowering the EPA to succeed as the water sector’s risk management agency and as the government lead for cybersecurity in the sector.
• Directing some of the EPA’s water sector grant programs exclusively toward cybersecurity issues.
• Increasing funding for the U.S. Department of Agriculture’s rural cybersecurity programs.
• Directing the Cybersecurity and Infrastructure Security Agency (CISA) to increase its support to the water sector.
• Increasing the Federal Government’s financial support for water sector associations.
• Encouraging water utilities to increase investments in cybersecurity technology and personnel.
• Improving water utilities’ access to cybersecurity training and assessment resources.
• Establishing a joint industry-government cybersecurity oversight program; and
• Amending the American Water Infrastructure Act to increase the cybersecurity effectiveness of water utility risk assessments.

Implementing any single one of these recommendations is insufficient to address the cybersecurity threats to the water sector. The report assesses “a layered approach combining a strengthening of the EPA, improved government financial support and oversight, and a stronger partnership between government and utilities will result in a more secure, reliable, and resilient water sector.”

The report is a product of FDD’s Center on Cyber and Technology Innovation and provides a comprehensive view of the myriad of cybersecurity issues confronting the water sectors. The report’s authors met with numerous industry experts and senior officials, whose insights on the water sector have been captured throughout the report.

To contact FDD media relations, please email [email protected].

##

About the Foundation for Defense of Democracies:

FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy. Connect with FDD on Twitter, Facebook, and YouTube.