Rep. Ritchie Torres — vice chair of the Committee on Homeland Security and a member of the Subcommittee on Cybersecurity, Infrastructure Protection and Innovation — said the U.S. is particularly at risk to cyber attack because much of its infrastructure is automated or digitized.
The recent arrests of alleged perpetrators behind the LAPSUS$ cyber crime group is also a stark reminder that cyber attackers need relatively few resources to wreak considerable damage.
“LAPSUS$ has shown that with only $25,000, a group of teenagers could get into organizations with mature cybersecurity practices,” said Amit Yoran, CEO of cybersecurity risk management company Tenable. “Consider Russia with much deeper pockets, focus and mission targeting critical infrastructure.”
The water sector could be at particular risk and has been previously referred to by Cyberspace Solarium Commission Executive Director Mark Montgomery as critical infrastructure’s “weakest link.”
Boosting the water system’s defenses could mean deepening industry-federal partnerships to ensure water entities are receiving quick, actionable advice tailored to their specific contexts, as well as establishing minimum cybersecurity standards across the sector, said Kevin Morley, federal relations manager for the American Water Works Association (AWWA), during the hearing.
The Challenge of Water
Unlike its more consolidated critical infrastructure counterparts, the water sector is in the hands of a vast array of organizations, many of which are small and under-resourced.
“There are more than 45,000 community water systems that serve fewer than 3,300 people,” Morley told federal legislators.
The sector also relies on a variety of physical infrastructure, and updating operational technology (OT) can be slow going, especially because services must run 24/7.
“Rehabilitating or upgrading those OT systems can often be a three- or four-year capital improvement project to ensure that the system maintains operations during that whole period. So, it’s not a rapid process, but support from our federal partners is encouraging,” Morley said.
Operational technology systems are also increasingly getting connected to Internet or cellular to enable gathering remote data to support activities like metering and billing or predictive equipment maintenance, Yoran noted. But these connections then need to be protected against potential cyber vulnerabilities.
Rep. Carlos Gimenez, R-Fla., suggested removing such risks via a mandate forbidding critical infrastructure operators from connecting operational technology to the external Internet, something Yoran said operators would likely find impractical.
The White House has also been putting attention on such vulnerabilities and recently raised funding for CyberSentry, a voluntary program that deploys sensors to monitor participating critical infrastructure owners and operators’ OT and IT networks. The new appropriations bill budgets $95.5 million above what the Cybersecurity and Infrastructure Security Agency (CISA) had requested for the program, per LawFare.
Getting Communications Right
Morley said that the “Shield’s Up” website CISA launched recently to explain how organizations can improve their cyber postures has helped consolidate useful information in one space, making it easier for organizations to keep up with the latest threat and mitigation information.
Still, federal partners need to be careful that threat alerts and advice aren’t too technical for small water entities to parse and understand how to apply to their particular systems and contexts, Morley said. After all, many of these entities don’t have any cyber staff to decipher the intelligence.
That’s one place where sector partnerships can kick in, with the Environmental Protection Agency (EPA) and other water sector groups able to frame threat information to be most relevant to their space.
“Certain advisories, in some cases, have a certain level of technical sophistication that probably requires a little bit of contextualization. And that’s why we would encourage a little more frontline engagement between EPA and CISA, to ensure that that information is actionable to our members at the smallest level,” Morley said.
Entities also want to receive governments’ threat alerts as fast as possible.
Many testifying during the hearing praised the Joint Cyber Defense Collaborative (JCDC) and the government’s push to declassify and share information more rapidly, but any extra speed counts.
Government information sharing can get slowed down by concerns over what to declassify, but Morley said water entities are rarely looking for sensitive details like those about attributions and tactics. Instead, they often just want to know when a new vulnerability has been detected and what they should do to mitigate it.
Another piece of the puzzle is making sure entities are keeping up their cyber hygiene and at least doing the basics of defense. To that point, Morley advocated for creating a minimum set of “tiered risk- and performance-based” cybersecurity standards for water sector entities.
