Industrial controls governing water-related U.S. critical infrastructure are woefully under-estimated as cyberattack targets. The potential for attack, say policymakers, is too great to ignore with consequences potentially devastating to populations.
On Wednesday, the Center on Cyber and Technology Innovation (CCTI) and the Cyberspace Solarium Commission (CSC 2.0) released policy statements based on a recent panel discussion titled “Strengthening the Cybersecurity of American Water Utilities.”
Water may be the greatest vulnerability in our national infrastructure, said Samantha Ravich, chair of CCTI. Much of the problem lies in just how decentralized water systems are, she explained.
“Each of these systems operates in a unique threat environment, often with limited budgets and even more limited cybersecurity personnel to respond to these threats,” she said. “Conducting federal oversight of, and providing sufficient federal assistance to, such a distributed network of utilities is inherently difficult.”
Panelists included representatives from government and environmental agencies, including the Environmental Protection Agency (EPA), American Water Works Association and congresspersons within the United States House of Representatives.
Under the Radar and Under Protected
Panelists asserted that protecting critical water infrastructure systems from cyberattack were a greater imperative versus healthcare and the power grid, which includes nuclear facilities.
Ravich pointed out, the U.S. has around 52,000 drinking water and 16,000 wastewater systems. “Each of these systems operates in a unique threat environment, often with limited budgets and even more limited cybersecurity personnel to respond to these threats,” she said.
Water treatment plants are a ripe target because the majority of them serve smaller communities of fewer than 50,000 residents. That often forces budget-challenged federal, state and municipalities to make hard choices when it comes to what gets cybersecurity funding at the local level.
“Conducting federal oversight of, and providing sufficient federal assistance to, such a distributed network of utilities is inherently difficult,” she said.
How Vulnerable is the U.S. Water System?
In an opening remark, Congressman Jim Langevin (D-RI), brought the issue home.
“The water sector should generate serious concern,” he stated. He added, because “known and unknown cyber actors are attempting to compromise both information technology and operational technology assets at water treatment facilities.”
Langevin cited a cyberattack on critical water infrastructure that occurred in 2021 when a water treatment plant in Oldsmar, Florida was attacked. In that incident, a hacker broke into the IT system of Oldsmar’s water treatment plant and remotely accessed the computer system.
“[The plant] operator observed the mouse moving around on the screen to access various systems that control the water being treated,” according to reports. The hacker tried poisoning the supply, by adjusting sodium hydroxide levels from 100 parts per million to 11,100. Because the plant operator observed what was going on, the attack was thwarted in time.
When Operators Don’t Pay Attention?
What if the plant hadn’t allocated adequate time and money to cybersecurity? Oldsmar, Langevin assessed, “demonstrated that under investments in water sector cybersecurity could lead to disaster.”
Fixing “under investments” in water security won’t be so straightforward. Langevin highlighted how utilities providers often lack the resources to meet regulatory guidelines instituted by organizations like the EPA. And the EPA, for its part, “faces challenges in meeting its responsibilities when it comes to the day-to-day relationship between the federal government and their water sector.”
“Knowing what we know about the cyber threats facing the water sector,” Langevin concluded. “This status quo simply cannot continue. The risks are too great. So we need to raise the bar among water utilities across the country, build a capacity and strengthen adherence to industry-wide standards. And we need to ensure that the EPA is appropriately resourced and empowered to fulfill its critical mission as a sector risk management agency for water.”
The full panel discussion can be found on YouTube.
Panelists included representatives from government and environmental agencies, including the Environmental Protection Agency (EPA), American Water Works Association, and the United States House of Representatives.
