Gaps in Cybersecurity in the Water Sector
According to the survey, which drew on 606 responses from water and wastewater utilities, about 58 percent of respondents reported having a risk management plan that addresses cybersecurity.
However, only about 23 percent of systems surveyed perform cybersecurity risk assessments annually (7.6 percent do so quarterly and 5 percent do so weekly.)
The top challenge for systems serving more than 100,000 people is creating a cybersecurity culture within the utility, according to the survey.
One of the key challenges for water utilities is a lack of visibility into their networked assets, which are increasingly vulnerable to cyberattacks. As cybersecurity professionals often attest, an entity cannot defend what it cannot see or doesn’t know about.
According to the survey, only about 38 percent of utilities have identified all IT-networked assets, with an additional 21.7 percent working to identify all IT-networked assets.
Additionally, only 30.5 percent of water utilities have identified all operational technology-networked assets, such as industrial control systems, such as supervisory control and data acquisition (SCADA) systems, with an additional 22.5 percent working to identify all OT-networked assets.
Water utilities are devoting a small percentage of their total budgets to cybersecurity, according to the survey. Fully 38 percent of systems allocate less than 1 percent of budget to IT cybersecurity, and 22 percent allocate only between 1 and 5 percent of their total budget to IT cybersecurity.
What Water Utility Leaders Say They Need to Improve Cybersecurity
“With threats from increasingly sophisticated and destructive attackers, cybersecurity has become a top priority for water and wastewater systems,” states a memo from the Water Sector Coordinating Council. “Recent incidents have added urgency to discussions within the sector and with Congress and in federal agencies on how best to help utilities improve their cybersecurity.”
The memo notes that survey respondents identified several areas where the federal government can support the water sector. The top four categories are training and education specific to the water sector; technical assistance, assessments and tools; cybersecurity threat information; and federal loans and grants.
“With the exception of federal loans and grants, many such resources already exist between those developed by the sector itself and those contributed by federal agencies,” the survey report notes. “But clearly there is a need for additional resources in order to reach a greater audience among our large and diverse sector. The development and promotion of these resources will require a combined effort between the sector, government agencies, and partners.”
While the current guidelines for critical infrastructure cybersecurity are voluntary, an unnamed senior administration officials says the administration “may pursue legislative options, with help from Congress, to require the kind of technological improvements that would defend against such cyberattacks,” as NPR reports.