Security

How Water Utilities Can Embrace Cybersecurity Controls

Critical infrastructure providers in the water sector face gaps on IT security and say they need more training, technical assistance and federal funding,

Phil Goldstein

Twitter

Phil Goldstein is a former web editor of the CDW family of tech magazines and a veteran technology journalist. He lives in Washington, D.C., with his wife and their animals: a dog named Brenna and two cats, Grady and Princess.

Last week, the Biden administration released a national security directive aimed at improving the cybersecurity of critical infrastructure providers, including those in the power, water and transportation sectors.

The directive comes after high-profile cyberattacks against water treatment plants, energy pipelines and other critical infrastructure entities, and is designed to establish voluntary cybersecurity performance standards.

One element of the directive is an “Industrial Control Systems Cybersecurity Initiative” aimed at “encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks.”

Additionally, under the policy, the Department of Homeland Security has been tasked with establishing preliminary cybersecurity goals for control systems across critical infrastructure sectors no later than Sept. 22, meeting final cross-sector control system goals within a year.

Meanwhile, a recent survey of the water and waste management sector reveals significant gaps in cybersecurity, according to an April survey from the WaterISAC. The survey, released in mid-June, found that “many utilities are implementing cybersecurity best practices, but many others’ cybersecurity programs are incomplete.”

Gaps in Cybersecurity in the Water Sector

According to the survey, which drew on 606 responses from water and wastewater utilities, about 58 percent of respondents reported having a risk management plan that addresses cybersecurity.

However, only about 23 percent of systems surveyed perform cybersecurity risk assessments annually (7.6 percent do so quarterly and 5 percent do so weekly.)

The top challenge for systems serving more than 100,000 people is creating a cybersecurity culture within the utility, according to the survey.

One of the key challenges for water utilities is a lack of visibility into their networked assets, which are increasingly vulnerable to cyberattacks. As cybersecurity professionals often attest, an entity cannot defend what it cannot see or doesn’t know about.

According to the survey, only about 38 percent of utilities have identified all IT-networked assets, with an additional 21.7 percent working to identify all IT-networked assets.

Additionally, only 30.5 percent of water utilities have identified all operational technology-networked assets, such as industrial control systems, such as supervisory control and data acquisition (SCADA) systems, with an additional 22.5 percent working to identify all OT-networked assets.

Water utilities are devoting a small percentage of their total budgets to cybersecurity, according to the survey. Fully 38 percent of systems allocate less than 1 percent of budget to IT cybersecurity, and 22 percent allocate only between 1 and 5 percent of their total budget to IT cybersecurity.

What Water Utility Leaders Say They Need to Improve Cybersecurity

“With threats from increasingly sophisticated and destructive attackers, cybersecurity has become a top priority for water and wastewater systems,” states a memo from the Water Sector Coordinating Council. “Recent incidents have added urgency to discussions within the sector and with Congress and in federal agencies on how best to help utilities improve their cybersecurity.”

The memo notes that survey respondents identified several areas where the federal government can support the water sector. The top four categories are training and education specific to the water sector; technical assistance, assessments and tools; cybersecurity threat information; and federal loans and grants.

“With the exception of federal loans and grants, many such resources already exist between those developed by the sector itself and those contributed by federal agencies,” the survey report notes. “But clearly there is a need for additional resources in order to reach a greater audience among our large and diverse sector. The development and promotion of these resources will require a combined effort between the sector, government agencies, and partners.”

While the current guidelines for critical infrastructure cybersecurity are voluntary, an unnamed senior administration officials says the administration “may pursue legislative options, with help from Congress, to require the kind of technological improvements that would defend against such cyberattacks,” as NPR reports.

EXPLORE: Researchers are developing tools to help utilities combat cyberattacks.

tuachanwatthana/Getty Images