Critical Infrastructure Security
The Water and Wastewater Sector Faces Growing Cybersecurity Risks, Officials Warn
Small and rural water systems across the United States lack the funding and technical expertise to improve cybersecurity even as the sector increasingly faces domestic and foreign threats, officials testified Wednesday.
See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government
The heads of several water and wastewater systems told the House Energy and Commerce subcommittee on environment, manufacturing and critical materials that the sector faces major disparities in resources to adequately identify and mitigate cyber threats.
Rick Jeffares, president of the Georgia Rural Water Association, said state employees and local agencies “lack the resources and expertise to add cybersecurity enforcement to their workload.”
“The reality is most rural utilities lack the financial resources and in-house expertise to defend themselves” from cyberattacks, Jeffares told lawmakers. The water sector workforce in Georgia is aging and the average worker is 58-years-old. “We anticipate the next generation of water operators will have a higher level of computer and cyber sophistication than I possess but, in the meantime, we all need to continue learning to implement strong cybersecurity plans.”
The Cybersecurity and Infrastructure Security Agency recently described the water sector as a “target-rich, resource-poor” industry due to the limited financial and technical resources available for many of the nation’s more than 150,000 public water systems, particularly those in small and rural communities.
The Infrastructure Investment and Jobs Act of 2021 authorized $250 million over five years for an Environmental Protection Agency initiative that offers grant assistance to public water systems serving communities of 10,000 or more people to support projects aimed at reducing a water system’s cybersecurity risks.
But Congress has only appropriated $5 million for the program, according to Scott Dewhirst, superintendent and chief operating officer of Tacoma Water.
“Fully funding the program – or at least providing a level of appropriations closer to its annual $50 million authorization – would greatly expand the number of water systems that can tap these resources to improve their cyber defenses,” Dewhirst told lawmakers.
Government watchdogs called on the federal government to better synchronize its efforts in improving water and wastewater cybersecurity efforts (see: US CISA Must Improve Water Sector Assistance, Says Watchdog). The U.S. cyber agency issued an incident response guide with the EPA and FBI earlier this month urging water and wastewater systems owners and operators to develop organizational-level incident response plans and establish strong cybersecurity baseline standards.
“Cyber threat actors are aware of – and deliberately target – single points of failure,” the guidance states. “A compromise or failure of a water and wastewater sector organization could cause cascading impacts throughout the sector and other critical infrastructure sectors” (see: New Guidance Urges US Water Sector to Boost Cyber Resilience).
The hearing follows a surge in cyberattacks targeting multiple U.S. water facilities in recent months, including an incident involving an Iranian hacking group known as “Cyber Av3ngers,” which targeted a small municipal water authority in Pennsylvania that was using Israeli-owned software in one of its facilities (see: Iranian Hacking Group Attacks Pennsylvania Water Authority).
“Smaller systems in our sector have significantly constrained budgets and must take into consideration new obligations to comply with multiple regulations,” said Kevin Morley, manager of federal relations for the American Water Works Association. Morley noted that water systems are already strained while aiming to comply with recently revised lead and copper rules and pending PFAS standards.
“Unlike other critical infrastructure sectors, to date, there has been no dedicated funding to expedite technology upgrades at water systems,” Morley added. “If the water sector is truly a national security priority, then we will need support to expedite these technology upgrades, address this digital chasm in a manner that is not punitive, and fulfill our shared commitment to the communities we serve.”