Senate Hearing: Protecting Water Infrastructure from Cybersecurity Threats

Cybersecurity Challenges for Water Systems

• ⚠️ Cybersecurity threats to drinking water and wastewater systems are increasing, with adversaries like Iran, China, and Russia targeting critical infrastructure.
• 💡 Attacks can range from ransomware compromising data to manipulating operational technology, potentially altering chemical levels or disrupting water distribution.
• 💻 The rise in cyber attacks coincides with the deployment of new digital control technologies, increasing system efficiency but also vulnerability.

Hurdles for Utilities

• 📉 Many water utilities, especially small rural systems, face significant challenges due to legacy systems, workforce shortages, and limited capacity for cybersecurity hygiene.
• 🔑 Common vulnerabilities include exposed remote access, default passwords, flat networks, and unpatchable legacy equipment, often due to lack of dedicated IT or cybersecurity staff.
• 💰 Implementing cybersecurity measures competes with other critical needs like infrastructure upkeep and maintaining affordable services for rate payers.

Proposed Solutions and Strategies

• 🤝 Collaboration between utilities, federal agencies, and cybersecurity experts is crucial for increasing system resiliency.
• 🛠️ A circuit rider-style cybersecurity program, modeled after USDA's technical assistance, is suggested to provide practical support to rural utilities.
• 📚 Stackable micro-credentials for working operators are being developed to equip them with essential cybersecurity skills like secure remote access and incident response.
• ⚖️ Striking a balance between federal guidance and empowering local utilities is key, avoiding one-size-fits-all mandates that can be overly burdensome.

The Role of Federal Agencies and Partnerships

• 📈 The Infrastructure Investment and Jobs Act provided some funding for cybersecurity projects, but more is needed.
• 🎯 Grant programs like EPA's midsize and large drinking water system infrastructure resilience and sustainability program require adequate funding to be effective.
• 🌐 Organizations like Water ISAC play a vital role in information sharing and real-time assistance, but require sustained support and funding.
• 💡 A Water Risk and Resiliency Organization (WRO), modeled after the energy sector's NERC, is proposed to develop tailored cybersecurity guidelines for different system sizes and risk profiles.

Importance of Collaboration and Awareness

• 🧠 Human error remains a significant factor, highlighting the need for continuous training and awareness programs for utility staff.
• 📞 In case of a breach, reaching out to trusted resources like state rural water associations or agencies like CISA is the immediate first step.
• 📝 Developing a cyber response plan is essential for utilities of all sizes to know how to react during an incident.
• 📊 Better data on attack frequency, sources, and methods is needed to inform best practices and preventative measures.