Security news that informs and inspires

White House Advisory Group: Water Sector Needs Cybersecurity National Standard

By

A White House advisory group, the President’s National Infrastructure Advisory Council (NIAC), is calling for a water industry national standard for cybersecurity “that is affordable and attainable by all utilities.”

U.S. government agencies have faced roadblocks in trying to figure out how to assess, develop and implement baseline security requirements in the water sector. Earlier this year, the U.S. Environmental Protection Agency (EPA) issued a memorandum recommending that cybersecurity assessments be included in required annual water system evaluations. The backlash was swift: Several attorneys general from Iowa, Arkansas and Missouri promptly filed a flurry of lawsuits, saying the rule would impose significant costs on small and rural public water systems, among other issues, and in July a U.S. appeals court temporarily blocked the plan.

The NIAC said that its recommendation for the national standard for cybersecurity aims to address some of the concerns put forward in these lawsuits, including budgeting challenges, personnel issues and a lack of available resources.

“The lawsuit in March 2023 initiated by certain states against the EPA ruling that requires water authority to upgrade their cybersecurity system is the type of disagreement that needs to be settled out of court and further supports the NIAC’s recommendation for a comprehensive water strategy and a Department of Water,” according to the NIAC report. “The main objection made by those states was that it would be too costly to suppliers who will then need to pass on the cost to consumers. In addition, their objection was a lack of staffing, training, and expertise to evaluate cybersecurity programs.”

The NIAC is made up of various senior executives from the private and public sector that own or operate critical infrastructure, and advise the White House on how to reduce physical and cyber risks for critical infrastructure. The NIAC’s report comes after it was charged by the National Security Council to address the rapidly changing threats facing the water sector as a whole, beyond just cybersecurity.

However, cybersecurity was cited throughout the report as a challenge, alongside other problems that the water sector is grappling with (such as water supply sustainability, water quality issues and more). That’s partly because the U.S. government and private sector organizations have cited the need for security protections in this sector after several incidents over the past few years. Last month, the Department of Justice (DoJ) charged a former water treatment facility contractor for allegedly gaining unauthorized access to the computer network for the Discovery Bay, Calif.-based facility and uninstalling its main operational and monitoring system, for instance. In 2021, a 22-year-old man pleaded guilty to accessing a Kansas public water system’s computers in 2019 in order to shut down the processes behind the facility’s cleaning and disinfecting procedures. Both these incidents highlight the dangers that can stem from unauthorized access to public water plant systems that collect, treat and distribute water for drinking.

The NIAC stressed that the industry should invest in cybersecurity systems at water plants and on military bases. However, the report acknowledged that water utilities face an array of challenges that make it more difficult to implement cybersecurity measures. This includes the ability to attract personnel that specializes in cybersecurity.

“Without additional investment in technologies routinely employed in other infrastructure and employees, water utilities will be hard pressed to find the skilled employees needed to meet their cybersecurity needs, additionally utilities must protect customer data and maintain secure control of all processes within their systems,” according to the NIAC report.

This issue is even more challenging for the public sector, which must compete for talent with the private sector, according to the NIAC. Water utilities aren’t just struggling to attract talent - CISA has previously recognized that local critical infrastructure utilities have “asymmetric” access to resources as a whole. Water utilities in rural areas, for instance, may not have the budget for cybersecurity talent.

“I agree that a specialized workforce is needed,” said Jennifer Lyn Walker, director of Cyber Defense for Gate 15, and director of Infrastructure Cyber Defense for WaterISAC. “The large (better resourced) utilities are more inclined to have specialized staff, although some may not offer truly competitive wages. I believe many (if not most) of the small utilities (less resourced) aren’t even considering specialized staff, let alone the ability to afford them.”