White House Water Security Support Will Pay Off for Utilities

President Biden launched a cybersecurity task force to support America’s water and wastewater sectors in late January. And rightly so — hackers around the world are already trying to breach wastewater plant systems, sneak into water utility networks and compromise water supplies in the United States. Luckily, they haven’t been very successful — yet.

Fresh federal attention and, most importantly, investment in coordinated cybersecurity at the municipal level is validation of years spent by water and wastewater leaders tirelessly championing security across the sector. It also validates the paramount role water and wastewater IT leaders play in maintaining operations on a community level, as well as for national security in general. The work is never done, but we’re optimistic this latest development will drastically improve cybersecurity tied to community safety and serve as a benchmark for other sectors facing escalating risks.

A SINK-OR-SWIM MOMENT FOR THE WATER SECTOR

Within the sector, water and wastewater pros have kept pace with understanding intensifying cyber risks to plants, utilities and communities for years. Most have been vocal in city council and stakeholder meetings about the need for an all-hands-on-deck effort to combat intensifying risks to digital and physical infrastructure for just as long. But public-sector budgets are tight, and cybersecurity initiatives have been historically under-resourced.

At the same time, increasingly Internet-connected services and applications have expanded remote access to water and wastewater networks powering every aspect of operations — and hackers know it. For example, it’s possible for threat actors to exploit a remote desktop protocol (RDP) that is insecurely connected to the Internet to infect a water or wastewater network with ransomware. If the RDP is used for process control equipment, the attacker could also compromise or otherwise disrupt water or wastewater operations in the physical world. This is more possible than ever with increased remote operations directly resulting from the COVID-19 pandemic.

President Biden’s decision to extend the White House cybersecurity task force to water and wastewater is poised to meaningfully improve overall cybersecurity and information-sharing across the sector — and country. But the clock is ticking. And there’s a widening technology and strategy deficit at the center of American infrastructure protection that unfortunately extends to water and wastewater.

MAJOR WATER CYBERSECURITY ISSUES TO PRIORITZE

So what should be the outcome of the federal initiative? Here are three of the most pressing IT priorities that need to be addressed in every community across the country:

1. Unmaintained and unmonitored systems: As with other sectors powering American society from transportation to health care, a critical cybersecurity issue can result from something as straightforward as aging software. As the remote poisoning attempt on a water system in Florida shows, cyber risks emerge when there’s a failure to update or uninstall aging digital services and applications. In that particular case, the hacker was able to exploit a program that hadn’t been used in months but still resided on the Oldsmar water treatment plant’s IT system. Technology has evolved quickly since the onset of digital transformation in the water industry, and utilities need the appropriate resources to weed out and replace vulnerable legacy systems. Continuous monitoring and maintenance is critical to patch aging software and operating systems against exploits. This extends to embedded systems firmware in operational monitoring and measurement systems specific to the water industry. Federal resources should support utilities in their efforts to consolidate and update their tech stacks, and train municipal-level staff to constantly monitor networks, systems and platforms.

2. Broken connections: Another prominent cybersecurity issue stems from water utility and wastewater plant IT departments around the U.S. commonly relying on a patchwork of platforms and tools to monitor security, engage with customers and do everyday tasks. Even successfully deployed tech solutions that improve digital operations can introduce unintended consequences like unintentionally connecting a SCADA solution to the public Internet. IT solutions put in place to aid remote monitoring on an operational technology network could unintentionally compromise the integrity of these complex systems of systems.

To be clear, SCADA data can and should be leveraged to power online dashboards that allow users to spot threats and issues in the water treatment and distribution network sooner. Problems can occur, however, when the system itself is set up to allow online controls. An air gap is essential. The good news is that new cloud-based tools can enable integrations between these core systems within a utility through secure back-end channels (APIs) while also eliminating the risks that come with running manual uploads. Funding for application rationalization to chip away at the patchwork of legacy IT systems in water and wastewater is a key area where funding from the White House task force effort can make a difference.

3. Cybersecurity training and coordination: Water systems have unique vulnerabilities and risks that benefit from targeted information sharing and coordination. Updates and alerts relevant to water systems will elevate engagement and preparedness, especially in light of the need for coordinated readiness against ransomware attacks. A water utility in Idaho likely operates with a different set of cybersecurity protocols than a wastewater plant in New Hampshire. When the big picture of national security is taken into account, there’s national and local interest in standardizing policies to ensure equal — or as close to equal as possible — footing when it comes to water and wastewater cybersecurity.

Progress involves leveraging the White House’s involvement to:

1. Invest in the basics of educating the staff about cybersecurity threats and practices
2. Train users through awareness and simulations to recognize and report phishing and social engineering attempts
3. Identify and suspend access of users exhibiting unusual activity

As the list of water and wastewater cyber risks grows and intensifies (which it will in perpetuity), it’s more important than ever for efforts like the White House task force to execute plans with efficiency and effectiveness. A straight path to progress in reducing water and wastewater cyber risks involves: replacing the patchwork of IT systems used today with strategic investments in a centralized solution, staff training, routine software upgrades and usefulness audits, application rationalization and policy standardization. A tall, but possible, order now that federal funding is in play.

LOOKING AHEAD

Every water and wastewater system around the United States is undergoing some level of modernization, digital transformation and automation. At the same time, hackers and tools they use to infiltrate networks, exploit devices and manipulate software are becoming more sophisticated. It’s never been more important to shore up infrastructure systems and coordination among departments, teams and organizations.

President Biden’s task force is in a unique position to help local counterparts validate concerns voiced for years at this point, mitigate a growing list of sector-specific risks and boost overall national cybersecurity in the process. Promised funding, technology installations and upgrades, information-sharing and technical support from CISA, the EPA and other federal participants will help close a persistent gap between the need to boost water network and infrastructure cyber defenses and the ability to implement upgrades. Success requires every bit of the work to be informed by real-world context, carried out with transparency and trust, and designed to continue improving security conditions beyond the 100-day timeline.

David Lynch is the co-founder and CEO of Klir, the operating system for water. Ed Tobin is Klir's head of engineering.