Cybersecurity of water sector emerges as a weak link in US national infrastructure

November 19, 2021

A U.S. research organization revealed on Thursday that the cybersecurity of the water sector has been brewing in the national infrastructure, which could affect health and human safety, national security, and economic stability. Significant cybersecurity deficiencies were observed in the drinking water and wastewater sectors result in part from structural challenges. These systems operate with limited budgets and even more limited cybersecurity personnel and expertise. Conducting effective federal oversight of, and providing sufficient federal assistance to, such a distributed network of utilities is inherently difficult.

The Foundation for Defense of Democracies (FDD) said in a memo that the U.S. must develop an effective public-private collaboration that ensures reliable, resilient water infrastructure. This will require action and investment both by water utilities and by the federal government.

With a focus on national security and foreign policy, the Washington, DC-based nonpartisan research institute conducts in-depth research, produces accurate and timely analyses, identifies illicit activities, and provides policy options. FDD aims to strengthen U.S. national security and reduce or eliminate threats posed by adversaries and enemies.

The U.S. water sector has adopted automation in a bid to combat increasing operational costs. The upgraded environment enables water levels to be monitored and operated remotely. While, the growing reliance on SCADA (supervisory control and data acquisition) systems, industrial control systems (ICS), and programmable logic controllers (PLCs) have helped reduce manpower costs. Such advancements also led to the introduction of significant cybersecurity risks, as these systems are increasingly intertwined with systems connected to the internet.

With the increase in high-profile attacks, the utilities that shifted to high levels of automation should have ramped up cybersecurity, but they have failed to safeguard their infrastructure. Instead, many water utilities still use outdated and unpatched technologies and lack cybersecurity personnel, according to the FDD memo. Part of the problem stems from the overall budgetary challenges the water industry faces.

The warning from the FDD comes soon after last month’s joint Cybersecurity Advisory (CSA) that details ongoing cyber threats to the U.S. Water and Wastewater Systems (WWS) sector. The activity identified includes cyber intrusions leading to ransomware attacks, which threatens the ability of WWS facilities to provide clean and potable water, and effectively manage the wastewater of their communities. The WWS sector has faced various cyber intrusions from 2019 to early 2021, with the most recent one in August, where malicious cyber attackers used Ghost variant ransomware against a California-based WWS facility.

The FDD has proposed that government and industry work together to improve the water sector’s cybersecurity. This will require enhanced public-private collaboration, expanded assistance from the federal government, and increased federal oversight of the sector. Congressional oversight can help create accountability and ensure that the EPA provides meaningful support to the water sector. Given the size and diversity of the sector, government and industry will need to tailor their implementation to the varying size, complexity, and maturity of the individual utilities affected.

To get to grips with the existing challenges, the FDD proposed resourcing and empowering the Environmental Protection Agency (EPA) to succeed as the water sector’s sector risk management agency (SRMA). It also called for directing some of the EPA’s water sector grant programs exclusively toward cybersecurity issues, increasing funding for the U.S. Department of Agriculture’s rural cybersecurity programs, and directing the Cybersecurity and Infrastructure Security Agency (CISA) to increase support for the water sector.

The FDD also proposed increasing the federal government’s financial support for water sector associations, encouraging water utilities to increase investments in cybersecurity technology and personnel, improving water utilities’ access to cybersecurity training and assessment resources, setting up a joint industry-government cybersecurity oversight program, and amending the American Water Infrastructure Act to increase the cybersecurity effectiveness of water utility risk assessments.

This is not the first time that cybersecurity concerns have been raised in the water sector. The Government Accountability Office (GAO) assessed the EPA’s performance as an SSA multiple times over the past decade and identified several shortcomings. In a June 2021 letter to the EPA administrator, the GAO reported that three years after it gave the EPA a series of recommendations to strengthen water infrastructure cybersecurity, the EPA still had not developed a method to evaluate the sector’s adoption of cybersecurity best practices.

Likewise, the Cyberspace Solarium Commission (CSC) noted in its March 2020 report that the EPA failed to “conduct … risk management assignments effectively.” Unless the EPA better prioritizes and resources this task, that gap will likely grow as the agency assumes new responsibilities as an SRMA. Regarding the water sector, the CSC concluded that there is “insufficient coordination between the EPA and other stakeholders in water utilities’ security.”

Water infrastructure is critical to national security, economic stability, and public health and safety, Mark Montgomery and Trevor Logan wrote in Thursday’s FDD memo.

“Building on the CSC’s concerns regarding the vulnerability of the water sector, this paper analyzes the specific challenges facing this sector and identifies steps that utilities and the federal government — both the legislative and executive branches — should take to mitigate this national vulnerability. A layered approach combining a strengthening of the EPA, improved government financial support and oversight, and a stronger partnership between government and utilities will result in a more secure, reliable, and resilient water sector,” they added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Features

House Committee on Oversight and Reform works towards cracking down on ransomware intrusions

Asset visibility in OT, ICS environments proves challenging as digital transformation reigns

Building greater industrial cyber resilience following Nobelium supply chain attacks

Building cyber security awareness in industrial, OT environments

Adopting a Counter Ransomware Initiative to address transnational threat landscape

New DHS railroad and aviation security directive aims to strengthen cybersecurity fabric

Adopting regulations, standards, and guidelines to build safeguards into maritime cyber security frameworks

IT-OT collaboration calls for reconceptualizing of cybersecurity insurance

Analyzing the role of the CIR Office at CISA to deal with cybersecurity incidents

Applied Risk’s TactICS suite to stimulate OT security awareness company culture with innovative approach

New bill urges critical infrastructure firms to adopt various measures, in response to mounting cybersecurity incidents

Industrial cyber security training comes into focus in advancing threat landscape – Part II

Resources

The Emerging Cyber Threat to Industrial Control Systems Final 16.02.2021

Download

Ponemon Research Report The Impact of Ransomware on Healthcare During COVID-19 and Beyond

Download

Securing IoT Networks with Edge Architecture 2

Download

Securing IoT Networks with Edge Architecture

Download

IT and OT Cybersecurity United We Stand, Divided We Fall

View

Connected digital technologies causing increased cybersecurity risks in the railways

View

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cybersecurity of water sector emerges as a weak link in US national infrastructure

Related

Register to be the first to know about all the news