Critical Infrastructure Security
Water Sector Lacks Support to Meet White House Cyber Demands
Experts Say Water Sector Lacks Technical Resources to Comply With Federal RequestsCybersecurity experts are raising the alarm about underfunded water and wastewater utilities across the country as the Biden administration urges states to better protect the sector against growing cyberthreats.
See Also: Webinar | Prisma Access Browser: Boosting Security for Browser-Based Work
The administration convened state environmental, health and homeland security agencies for a virtual meeting Thursday to discuss ongoing efforts to improve cybersecurity in the water sector. The meeting followed a letter the White House and the Environmental Protection Agency sent to all U.S. governors on Tuesday warning that hackers associated with the Iranian and Chinese governments pose a significant threat to drinking water and wastewater systems nationwide.
"Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices," the letter says.
Experts told Information Security Media Group the U.S. water and wastewater sector lacks funding and technical resources to comply with federal cybersecurity recommendations, even with the wide variety of free and low-cost resources launched in recent years through the Environmental Protection Agency and Cybersecurity and Infrastructure Security Agency.
"In many cases, more technical resources need to be provided [or] subsidized for these utilities to be able to actually implement even the most basic cybersecurity fundamentals," said Jennifer Lyn Walker, director of infrastructure cyber defense for the Water Information Sharing and Analysis Center.
CISA has established state and local cybersecurity grant programs for utilities, as well as clean water and drinking water state revolving funds. The U.S. cyber defense agency also offers local technical assistance and training resources to water authorities, in addition to a free scanning service that looks for internet-facing vulnerabilities.
The FBI and the EPA also provide a range of toolkits and cybersecurity incident action checklists for water and wastewater sector owners and operators, as well as a water and wastewater systems sector cybersecurity program that can provide technical support for local personnel.
"State and local agencies are chronically tight on funding, and cybersecurity is a line item - an expensive line item - that wasn't on most agency budgets a few years ago," said Sean Deuby, principal technologist for the threat mitigation platform Semperis. "CISA and other government agencies are now providing timely information, recommendations, some technical assistance and some funding, but agencies are not historically rapid-reaction organizations."
The U.S. water sector - which includes approximately 148,000 public water systems and more than 52,000 community systems - is increasingly being seen as a prime target for foreign adversaries and cybercriminals. CISA, the EPA and the FBI published a joint incident response guide in January aiming to help water and wastewater systems establish incident response plans and enhance information-sharing efforts with the federal government (see: New Guidance Urges US Water Sector to Boost Cyber Resilience).
Experts have long warned that federal cybersecurity mandates for the water sector often lack accompanying funding mechanisms. Rick Jeffares, president of the Georgia Rural Water Association, testified to Congress in January about the aging water sector workforce in Georgia, where the average worker is 58 years old.
"The reality is: Most rural utilities lack the financial resources and in-house expertise to defend themselves," Jeffares told lawmakers (see: Water Sector Leaders Urge Congress to Fund Cyber Mandates).
Experts told ISMG that larger, better-funded water authorities generally have enough resources and funding to adequately fulfill the recommendations laid out in the White House letter to state governors.
"We need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices," the letter says. "In many cases, even basic cybersecurity precautions - such as resetting default passwords or updating software to address known vulnerabilities - are not in place and can mean the difference between business as usual and a disruptive cyberattack."
Hackers have targeted the water sector as far back as 2006, when a water filtration system in Harrisburg, Pennsylvania, was affected by a malware infection, according to Malachi Walker, security adviser for the software security firm DomainTools.
"Despite these threats and impacts, compared to the energy sector, there are significantly fewer regulations related to water and water utilities," Walker said. "The White House and EPA calling attention to the inadequate protections these systems have against a recent upsurge in critical infrastructure attacks is a crucial first step in strengthening cyber resilience for the water sector."