Water and wastewater treatment may not be at the top of most people’s list of discussion topics, but the more you think about it, the more clear it becomes that this particular subsegment of the utilities market is a vital part of our critical infrastructure.
We rely on the ability to turn on the tap and get clean, safe water every day. And we’ve seen what havoc losing that ability can wreak from the crisis in Flint, MI. As a society, we also rely on the ability to safely treat and dispose of wastewater. No one wants to think about what happens if that’s no longer possible, but some might recall actual rivers catching on fire.
All of this is to say that it’s vitally important to the security of any nation that water supply and wastewater treatment is protected, and in the increasingly connected world we live in, that includes protection from cyber attacks.
Biden-Harris Administration Expands Public-Private Cybersecurity Partnership to Water Sector
The increasing threat of cyber attacks on critical infrastructure is what’s driven the Biden administration to make a focused effort to increase cybersecurity for these industries. We’ve seen the published Executive Order on Cybersecurity, along with the Department of Energy’s 100 day sprint, first for the electric utilities, then for the gas subsector. Now the administration is turning its attention to the water sector with a forthcoming Water Sector Action Plan. On January 27th, the Whitehouse published a fact sheet for this action plan. The administration should be applauded for taking decisive action on protecting critical infrastructure from cyber attacks, and for recognizing the importance of the water sector within that plan.
As with the other sectors previously addressed, we can expect this action plan to focus on some foundational security controls that are largely missing from the water sector. Capabilities like asset inventory, vulnerability detection, configuration management, and change detection are commonly considered among that list. It will be a challenging task to drive the implementation of these controls across such a varied landscape of organizations.
As the fact sheet discusses, the focus will be on monitoring, response, and information sharing. Water treatment facilities won’t be left to figure out the requirements on their own. CISA and the EPA will be putting together a pilot program to help. The language used here is interesting to note. The pilot program isn’t to demonstrate how to implement these controls, though that’s an obvious side-effect, but to “demonstrate the value of such technology to the sector.” This may seem like a small statement, but it underscores that the challenge here isn’t as much technology as education.
The fact sheet calls out that the program will focus on those utilities serving the largest populations first, but ultimately even smaller utilities need to protect themselves. As we’ve learned in the commercial space, being small doesn’t mean you’re not a target for cyber attacks. And water supply is always critical to those the utilities serve.
Ultimately, we’ll have to look to the published action plan to expand on the details. While monitoring and response are important, the need for preventive controls shouldn’t be ignored. Identifying and responding to an attack is sometimes necessary, but avoiding that necessity is highly preferred. Hopefully the forthcoming action plan includes a dose of prevention to go with the detection and response outlined in the fact sheet.