Cybersecurity of water sector emerges as a weak link in US national infrastructure

water sector

A U.S. research organization revealed on Thursday that the cybersecurity of the water sector has been brewing in the national infrastructure, which could affect health and human safety, national security, and economic stability. Significant cybersecurity deficiencies were observed in the drinking water and wastewater sectors result in part from structural challenges. These systems operate with limited budgets and even more limited cybersecurity personnel and expertise. Conducting effective federal oversight of, and providing sufficient federal assistance to, such a distributed network of utilities is inherently difficult.

The Foundation for Defense of Democracies (FDD) said in a memo that the U.S. must develop an effective public-private collaboration that ensures reliable, resilient water infrastructure. This will require action and investment both by water utilities and by the federal government.

With a focus on national security and foreign policy, the Washington, DC-based nonpartisan research institute conducts in-depth research, produces accurate and timely analyses, identifies illicit activities, and provides policy options. FDD aims to strengthen U.S. national security and reduce or eliminate threats posed by adversaries and enemies.

The U.S. water sector has adopted automation in a bid to combat increasing operational costs. The upgraded environment enables water levels to be monitored and operated remotely.  While, the growing reliance on SCADA (supervisory control and data acquisition) systems, industrial control systems (ICS), and programmable logic controllers (PLCs) have helped reduce manpower costs. Such advancements also led to the introduction of significant cybersecurity risks, as these systems are increasingly intertwined with systems connected to the internet.

With the increase in high-profile attacks, the utilities that shifted to high levels of automation should have ramped up cybersecurity, but they have failed to safeguard their infrastructure. Instead, many water utilities still use outdated and unpatched technologies and lack cybersecurity personnel, according to the FDD memo. Part of the problem stems from the overall budgetary challenges the water industry faces.

The warning from the FDD comes soon after last month’s joint Cybersecurity Advisory (CSA) that details ongoing cyber threats to the U.S. Water and Wastewater Systems (WWS) sector. The activity identified includes cyber intrusions leading to ransomware attacks, which threatens the ability of WWS facilities to provide clean and potable water, and effectively manage the wastewater of their communities. The WWS sector has faced various cyber intrusions from 2019 to early 2021, with the most recent one in August, where malicious cyber attackers used Ghost variant ransomware against a California-based WWS facility.

The FDD has proposed that government and industry work together to improve the water sector’s cybersecurity. This will require enhanced public-private collaboration, expanded assistance from the federal government, and increased federal oversight of the sector. Congressional oversight can help create accountability and ensure that the EPA provides meaningful support to the water sector. Given the size and diversity of the sector, government and industry will need to tailor their implementation to the varying size, complexity, and maturity of the individual utilities affected.

To get to grips with the existing challenges, the FDD proposed resourcing and empowering the Environmental Protection Agency (EPA) to succeed as the water sector’s sector risk management agency (SRMA). It also called for directing some of the EPA’s water sector grant programs exclusively toward cybersecurity issues, increasing funding for the U.S. Department of Agriculture’s rural cybersecurity programs, and directing the Cybersecurity and Infrastructure Security Agency (CISA) to increase support for the water sector.

The FDD also proposed increasing the federal government’s financial support for water sector associations, encouraging water utilities to increase investments in cybersecurity technology and personnel, improving water utilities’ access to cybersecurity training and assessment resources, setting up a joint industry-government cybersecurity oversight program, and amending the American Water Infrastructure Act to increase the cybersecurity effectiveness of water utility risk assessments.

This is not the first time that cybersecurity concerns have been raised in the water sector. The Government Accountability Office (GAO) assessed the EPA’s performance as an SSA multiple times over the past decade and identified several shortcomings. In a June 2021 letter to the EPA administrator, the GAO reported that three years after it gave the EPA a series of recommendations to strengthen water infrastructure cybersecurity, the EPA still had not developed a method to evaluate the sector’s adoption of cybersecurity best practices.

Likewise, the Cyberspace Solarium Commission (CSC) noted in its March 2020 report that the EPA failed to “conduct … risk management assignments effectively.” Unless the EPA better prioritizes and resources this task, that gap will likely grow as the agency assumes new responsibilities as an SRMA. Regarding the water sector, the CSC concluded that there is “insufficient coordination between the EPA and other stakeholders in water utilities’ security.”

Water infrastructure is critical to national security, economic stability, and public health and safety, Mark Montgomery and Trevor Logan wrote in Thursday’s FDD memo.

“Building on the CSC’s concerns regarding the vulnerability of the water sector, this paper analyzes the specific challenges facing this sector and identifies steps that utilities and the federal government — both the legislative and executive branches — should take to mitigate this national vulnerability. A layered approach combining a strengthening of the EPA, improved government financial support and oversight, and a stronger partnership between government and utilities will result in a more secure, reliable, and resilient water sector,” they added.