Page 167 - Cyber Defense eMagazine June 2024
P. 167

This has become a greater concern as continued intelligence reporting – both from the government and
            from open source intelligence groups, such as Dragos, have found that potential adversaries, including
            the  Chinese  government,  have  a  demonstrated  interest  in  developing  plans  to  attack  U.S.  water
            infrastructure. Attacks against vulnerable operational technology systems used to operate water and
            wastewater  infrastructure  could  significantly  impact  the  availability  of  water,  as  well  as  threaten  the
            systems that protect the safety of drinking water.  The consequences would likely be amplified by the
            public fear and uncertainty that would follow.

            To veteran cyber defenders, concern about cyber security in the water sector is not new.  There has been
            a longstanding consensus that security controls, culture, capability and capacity are lacking in the sector.
            With what now looks like an enhanced threat, it is time to reject the existing approach and call for more
            urgent action in the face of the risk.




            We ought to focus on five key areas:

            1) Prioritizing progress in cybersecurity on operational technology, the internet of things, and industrial
            control systems.

            2)  Ensuring  processes  are  in  place  to  monitor  the  risk  associated  with  the  supply  chain  of  such
            technologies.


            3) Creating a new regulatory framework for water cybersecurity.
            4) Utilizing infrastructure investment dollars from rate payments to enhance investments in demonstrable
            upgrades to underlying digital technology to enable water systems.

            5) Enhancing cyber resilience planning so that water delivery can be maintained even in the face of cyber
            attacks.



            Implementing  these  priorities  would  result  in  a  strategy  that  secures  the  underlying  technology  that
            enables  the  operation  of  water  and  wastewater  facilities  and  would  push  to  raise  security  levels  at
            individual water facilities. It means driving the market to more secure-by-design and secure-by-default
            technologies.

            One  change  that  could  be  implemented  now  is  the  creation  of  an  independent  entity  to  lead  the
            development of cybersecurity requirements, relying on industry expertise and modeled off the electricity
            sector.  The House of Representatives has proposed such an approach in creating a Water Risk and
            Resilience Organization (WRRO)  This would create a more nimble regulatory partnership which could
            link outcomes, requirements, and controls to threats and vulnerabilities.

            In the water sector, like many critical infrastructure industries, cyber security needs to be balanced with
            business interests and cannot be achieved without investments, which need to be recouped in utility
            rates.  What the proposed Water Risk and Resilience Organization would do is set a defensible standard
            for the kind of security and technologies that are necessary for more cyber secure water facilities and




            Cyber Defense eMagazine – June 2024 Edition                                                                                                                                                                                                          167
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   162   163   164   165   166   167   168   169   170   171   172