Tackling Cyber Threats Against the U.S. Water Sector
Definitions of cyber threats and cybersecurity
Cyber threats refer to cyberattacks and cyber intrusions on operational and information systems by unauthorized users. These threats range from a data breach (the theft or manipulation of personal, confidential, financial, and medical information) to the damage or disruption of critical infrastructure assets. The motivations and methods of cyber threat actors vary. Cyber threat actors could be state-sponsored actors, organized cybercriminals, hacktivists, or lone-wolf attackers. Common motivations for cyber threat actors are financial gain, recognition, and political purpose. Additionally, common methods of cyber threats include social engineering (e.g., phishing), malware (e.g., ransomware), and denial-of-service (DoS).
If the cyber threat is a sword in a battle in cyberspace, cybersecurity is a shield. Cybersecurity refers to actions taken by public, private, and nonprofit actors to identify, protect, detect, and respond to cyber threats and recover from the damages. Cybersecurity is a salient topic, given that cyber threats are becoming more frequent and sophisticated, and society is increasingly connecting its physical space to cyberspace. Particularly, the importance of cybersecurity has taken on new urgency in the public and nonprofit sectors. Governments across the world have embraced information and communication technology (ICT) and e-governance for better public service delivery. Likewise, nonprofit organizations across the world have expanded their footprints in the digital age. Moreover, the public and nonprofit sectors are no longer strangers to artificial intelligence (AI), the Internet of Things (IoT), automation, and smart cities, all of which should be grounded on robust cybersecurity.
Cybersecurity weaknesses in the U.S. water sector
Recent cyber incidents in the U.S. have raised awareness of cyber threats to public service, ranging from election administration to power and water utilities. The U.S. water sector is one of the primary targets for cyber threats and is considered more vulnerable than other critical infrastructure sectors. Water and wastewater operators often rely on industrial control system (ICS) devices developed decades ago, and their operational and information technology (OT/IT) systems tend to be outdated.
The fragmented nature of the U.S. water sector has exacerbated cybersecurity weaknesses in water and wastewater infrastructure. The U.S. water sector has more than 150,000 public water systems, and about 80% of them are publicly owned and municipalities operated. Furthermore, small- and medium-sized municipal operators are highly vulnerable to cyber threats because local governments are often under-resourced and heavily dependent on remote administration and outside contractors.
Three growing strengths of water sector cybersecurity
The U.S. water sector (more precisely, the U.S. water and wastewater systems sector) features extensive vulnerabilities that water utilities cannot resolve alone. However, reflecting on today, the U.S. water sector appears to have reached a competitive position to tackle cyber threats. Three of the growing strengths are a record amount of federal funding, legislative and regulatory changes, and collaborative actions within the water and wastewater industry. While many technical and policy challenges remain to be solved, the three strengths are charting the future of water sector cyber resilience in this nation.
First, a record amount of federal funding provided substantial avenues for securing and improving water infrastructure. The Bipartisan Infrastructure Law, enacted in November 2021, has committed nearly $2 billion for infrastructure cybersecurity and enabled water sector cybersecurity programs by the CISA and the Environmental Protection Agency (EPA). The CISA is the national coordinator for critical infrastructure security and resilience, and the EPA is the sector risk management agency responsible for the water and wastewater systems sector. The newly added programs by federal funding include the cyber vulnerability scanning program free of charge to water utilities, which identifies all active internet-accessible assets to be scanned and checks potential vulnerabilities and configuration weaknesses. The significant federal funding also allowed the EPA to better support state governments and water utilities to enhance their response plans for cybersecurity incidents, provide technical assistance, and train water systems staff.
Second, recent legislative and regulatory changes clarified cybersecurity guidelines and requirements for water agencies and utilities on preparedness for, mitigation of, response to, and recovery from cybersecurity risks. While several legislative and regulatory actions at the federal and state levels are shaping cybersecurity in the water sector by implementing rules and norms, listed below are four representative examples of those changes that focus on or influence water and wastewater systems. More information can be found in a 2022 article “Strengthening Cybersecurity of Water Infrastructure through Legislative Actions,” published in the Journal of the American Water Resources Association.
- America’s Water Infrastructure Act of 2018 mandates community water systems that serve more than 3,300 people to conduct risk assessments and develop emergency response plans for their cyber and physical systems. The law also establishes deadlines by which water systems must submit a letter to the EPA certifying the completion of their risk and resilience assessments and emergency response plans.
- Internet of Things Cybersecurity Improvement Act of 2020 directs the development of guidelines and standards for reporting and resolving the security vulnerabilities of IoT devices used by federal agencies and contractors.
- New Jersey’s Water Quality Accountability Act requires public water purveyors in New Jersey that serve more than 500 service connections to engage in cyber risk management activities and report cybersecurity incidents to the state government.
- New York’s Water Supply Emergency Plans require community water systems that serve more than 3,300 people to conduct vulnerability assessments and develop emergency response plans for cyber and physical security threats.
Third, collaborative actions within the water and wastewater industry resulted in practical guidelines and resources for water sector cybersecurity and streamlined communications with the appropriate federal and state agencies. The American Water Works Association (AWWA), the Water Information Sharing and Analysis Center (WaterISAC), and the WSCC have led the collaborative and coordinated efforts. WaterISAC is the designated information sharing and operations arm of the WSCC, the self-organized and self-governed council in the water sector. Listed below are two representative examples of those collaborative and cooperative actions within the industry, in addition to collaborations with consulting firms, such as Booz Allen Hamilton, Cisco, Dragos, and IBM, which have engaged in water sector cybersecurity.
- AWWA Cybersecurity & Guidance provides water sector cybersecurity risk management guidance and assessment tools aligned with the National Institute of Standards and Technology Cybersecurity Framework. The AWWA also offers certificate programs, publications, standards, and webinars on cybersecurity for water systems.
- WaterISAC provides cyber and physical threat alerts and analyses, as well as best practices and tools for water sector cybersecurity and resilience.
Cyber threats to the U.S. water sector can compromise essential infrastructure and harm the health and safety of citizens. These threats are real and ever-evolving. Increased attention to cybersecurity is essential to water resilience. As shown in the temporary blockage of the EPA’s new cybersecurity guidelines (“Evaluating Cybersecurity During Public Water Sanitary Surveys”), many legal and technical challenges remain to be addressed. However, we are witnessing the federal government’s strong support, adaptive responses from legislators and officials, as well as collaborative efforts within the industry, preventing the rising fear of our cyber future. Our shields in this battle are polished and refined, not broken and battered; our shields grant us hope rather than despair.