Since 2021, the Biden Administration has been consistently talking about the limitations of a purely voluntary approach to cybersecurity for critical infrastructure, and the need for a strategic shift. Among the top priorities for this new focus is the Nation’s water sector, which has a long way to go in terms of cybersecurity.
In 2021, the Foundation for Defense of Democracies declared: “The cybersecurity of the water sector is a weak link in U.S. national infrastructure, imperiling health and human safety, national security, and economic stability.”
Despite that recognition, as well as the many efforts by the U.S. Environmental Protection Agency, which serves as the Water and Wastewater Sector Risk Management Agency, and the utilities in the sector itself, that situation remains largely unchanged today. The breadth and scope of the utilities in the water sector, as well as the undercapitalization for infrastructure improvements and underlying technology, means that broad vulnerabilities remain.
This has become a greater concern as continued intelligence reporting – both from the government and from open source intelligence groups, such as Dragos, have found that potential adversaries, including the Chinese government, have a demonstrated interest in developing plans to attack U.S. water infrastructure. Attacks against vulnerable operational technology systems used to operate water and wastewater infrastructure could significantly impact the availability of water, as well as threaten the systems that protect the safety of drinking water. The consequences would likely be amplified by the public fear and uncertainty that would follow.
To veteran cyber defenders, concern about cyber security in the water sector is not new. There has been a longstanding consensus that security controls, culture, capability and capacity are lacking in the sector. With what now looks like an enhanced threat, it is time to reject the existing approach and call for more urgent action in the face of the risk.
We ought to focus on five key areas:
- Prioritizing progress in cybersecurity on operational technology, the internet of things, and industrial control systems.
- Ensuring processes are in place to monitor the risk associated with the supply chain of such technologies.
- Creating a new regulatory framework for water cybersecurity.
- Utilizing infrastructure investment dollars from rate payments to enhance investments in demonstrable upgrades to underlying digital technology to enable water systems.
- Enhancing cyber resilience planning so that water delivery can be maintained even in the face of cyber attacks.
Implementing these priorities would result in a strategy that secures the underlying technology that enables the operation of water and wastewater facilities and would push to raise security levels at individual water facilities. It means driving the market to more secure-by-design and secure-by-default technologies.
One change that could be implemented now is the creation of an independent entity to lead the development of cybersecurity requirements, relying on industry expertise and modeled off the electricity sector. The House of Representatives has proposed such an approach in creating a Water Risk and Resilience Organization (WRRO) This would create a more nimble regulatory partnership which could link outcomes, requirements, and controls to threats and vulnerabilities.
In the water sector, like many critical infrastructure industries, cyber security needs to be balanced with business interests and cannot be achieved without investments, which need to be recouped in utility rates. What the proposed Water Risk and Resilience Organization would do is set a defensible standard for the kind of security and technologies that are necessary for more cyber secure water facilities and mandate that those standards are followed. This would then set market conditions for enabling technologies and help give rate regulators confidence that costs are reasonable and should be part of utility rates.
Another area is the emphasis on resilience. Mandating resilience standards means that water sector organizations will have responsibilities for planning, exercising, and building resilience in case incidents do impact water supply. This makes it less likely that a cyber incident will have a significant cascading impact on communities.
This kind of smart security and resilience regulation is a welcome additive to the purely voluntary approach. It is intended to integrate cyber security and resilience into the “cost of doing business,” while relying heavily on private expertise. It is particularly appropriate for the water sector given the current risk environment.
Across many issues, today’s cyber and supply chain risk environment requires new strategies and policies – and related structures – to meet the challenges.
The nation’s leaders have been clear that the system is “blinking red” in terms of threats. The related changes needed to address them need to be met with appropriate urgency.
About the Author
Bob Kolasky is Senior Vice President of Critical Infrastructure at Exiger, where he directs the development of cutting-edge third party and supply chain risk management technology for the critical infrastructure community. Bob is a widely-recognized expert with over two decades of experience. He’s a Nonresident Scholar in the Carnegie Endowment’s International Peace’s Technology and International Affairs Program, a CSIS Senior Associate, and a Senior Fellow at Auburn University’s McCrary Institute. Bob also served the OECD’s High-Level Risk Forum Chair. He was the founding Director for CISA’s National Risk Management Center, where he co-chaired the Information and Communications Technology Supply Chain Risk Management Task Force. Throughout his career, he’s worked for government agencies and contractors, including DHS, GAO, Abrams Learning & Information Systems and Booz Allen Hamilton.
Bob Kolasky can be reached online at LinkedIn and at our company website https://www.exiger.com/
