RADM (Ret) Mark Montgomery / Trevor Logan
America’s critical infrastructure is only as strong as its weakest link, and in the United States, water infrastructure may be the greatest vulnerability. The significant cybersecurity deficiencies observed in the drinking water and wastewater sectors result in part from structural challenges. The United States has approximately 52,000 drinking water and 16,000 wastewater systems, most of which service small- to medium-sized communities of less than 50,000 residents.1 These systems operate with limited budgets and even more limited cybersecurity personnel and expertise. Conducting effective federal oversight of, and providing sufficient federal assistance to, such a distributed network of utilities is inherently difficult.
Compounding this challenge, the increasing automation of the water sector has opened it up to malicious cyber activity that could disrupt or manipulate services. This past February, a hacker nearly succeeded in raising the concentration of a caustic agent in the drinking water of a small Florida city one hundred-fold after breaching the system the utility uses for remote-access monitoring and troubleshooting. The automation of such systems reduces personnel costs and facilitates regulatory compliance, but few utilities have invested the savings from automation into the cybersecurity of their new systems.
The expanded attack surface resulting from automation could also allow hackers to cause disruptive and cascading effects across multiple critical infrastructures. “Water is used in all phases of energy production and electricity generation,” the Department of Energy noted in a report on the nexus between the water and energy sectors.2 Water and power systems are often physically interconnected.3
The federal government — in particular, the Environmental Protection Agency (EPA), which is the sector risk management agency (SRMA) responsible for the water sector — bears responsibility for the fragility of the sector’s cybersecurity posture. The EPA is not resourced or organized to assess and support the water sector consistent with the scope and scale of the critical infrastructure challenges the sector faces. As part of its congressional mandate to assess and recommend improvements to national cyber resilience, the Cyberspace Solarium Commission (CSC) reviewed the responsibilities and performance of all SRMAs. Regarding the water sector, the CSC concluded that there is “insufficient coordination between the EPA and other stakeholders in water utilities’ security.”4 The Government Accountability Office has expressed similar concerns.5
Water infrastructure is critical to national security, economic stability, and public health and safety. Building on the CSC’s concerns regarding the vulnerability of the water sector, this paper analyzes the specific challenges facing this sector and identifies steps that utilities and the federal government — both the legislative and executive branches — should take to mitigate this national vulnerability. A layered approach combining a strengthening of the EPA, improved government financial support and oversight, and a stronger partnership between government and utilities will result in a more secure, reliable, and resilient water sector.
Specific recommendations include:
- resourcing and empowering the EPA to succeed as the water sector’s SRMA and as the government lead for cybersecurity in the sector;
- directing some of the EPA’s water sector grant programs exclusively toward cybersecurity issues;
- increasing funding for the U.S. Department of Agriculture’s rural cybersecurity programs;
- directing the Cybersecurity and Infrastructure Security Agency to increase support for the water sector;
- increasing the federal government’s financial support for water sector associations;
- encouraging water utilities to increase investments in cybersecurity technology and personnel;
- improving water utilities’ access to cybersecurity training and assessment resources;
- establishing a joint industry-government cybersecurity oversight program; and
- amending the American Water Infrastructure Act to increase the cybersecurity effectiveness of water utility risk assessments.
The post Poor Cybersecurity Makes Water a Weak Link in Critical Infrastructure appeared first on The Frontier Post.