Kansas Unveils Cyber Program to Safeguard Water Systems

Five years after a filter at small drinking water treatment facility in Kansas was compromised and remotely tampered with, the state has launched a cybersecurity assessment program for public water systems.

The state’s new CISO, John Godfrey, calls it a “leading-the-nation initiative,” to protect critical infrastructure. The state has firsthand experience with the risks of vulnerable water treatment systems. In 2019 a former employee of the Post Rock Rural Water District accessed the system’s controls remotely via cellphone, shutting the plant down and turning off one of its filters.

While the former employee’s regular duties for the agency had involved remote access, he hadn’t worked at the facility for two months when he was able to manipulate system controls offsite. He told investigators he was intoxicated at the time of the incident and didn’t remember anything.

In January 2024, Kansas kicked off phase one of a cybersecurity tool in the works since 2021 and developed by the Kansas Information Security Office (KISO), Kansas Department of Health and Environment (KDHE) and the National Cybersecurity Protection program.

KDHE Public Water Supply (PWS) Section Chief Cathy Tucker-Vogel detailed the progress of the new program in the congressional Subcommittee on Environment, Manufacturing and Critical Materials of the House Committee on Energy and Commerce at the end of January, explaining that the tool was created using the Cybersecurity Performance Goals developed by the Cybersecurity and Infrastructure Security Agency (CISA). It includes four stages, the first launched in January.

• Stage one (ongoing): The start of outreach and training to water operators, introducing the assessment program and covering the importance of cybersecurity hygiene to defend against cyber attacks that could disrupt water treatment operations.
  
• Stage two: Operators will be required to complete a three- to four-question electronic survey identifying water systems that have operational technology.
  
• Stage three: All public water systems with operational technology will be required to complete an electronic assessment.
  
• Stage four: Follow-up and technical assistance from CISA and/or KISO for public water systems with cybersecurity vulnerabilities identified during the evaluation completed in phase three.
  

In an interview with Government Technology, Godfrey, who started with KISO in January, said he’s particularly excited to continue the state’s pioneering work in protecting critical infrastructure.

“This training actually helps [public water systems] understand and identify the cyber technology within their facility, and then we assist them in conducting self-assessments to prepare for future external security audits,” said Godfrey. “That really helps them understand what their current state is and what the reality looks like. It's actually a really cool thing.”

According to Tucker-Vogel’s testimony to the Congress subcommittee, there are about 50,000 community water systems in the country, most are governmental entities, facing challenges with aging infrastructure, workforce and lack of resources. A majority, more than 38,000, are small entities, serving 25 to 3,300 people.

“This is an area where we identified a need, and as part of our collaboration and outreach, it just made sense,” said Godfrey, adding that other projects are in the works to protect other types of critical infrastructure. “Stay tuned and see what's ahead. I do think that the work that we've been doing for statewide collaboration and coordination, and our whole-of-state approach fits right into that. That’s the part of the piece that excites me, we're really working hard to do what we can to help folks across the state.”