Advancing a Sustainable Foundation for Cybersecurity

Abstract

Myriad criminal and foreign actors are targeting water and other critical infrastructure systems. To date, acknowledged cyberattacks have not inspired action in the water sector as much as experts in national security and cybercrime believe is needed. Moreover, the risks that cybersecurity gaps pose to core water system functions do not appear to be adequately recognized.

The attacks on Sept. 11, 2001, led to a heavy emphasis on physical security solutions. While needed, this emphasis occurred to the detriment of needs related to cybersecurity and preparedness. The physical security improvements provided multiple benefits, but opportunities were missed to make similar investments for building resilience to sustain water systems’ continuity of service. The 2018 amendments to §1433 of the Safe Drinking Water Act (SDWA) intended to correct this imbalance by requiring systems to evaluate threats from both malevolent acts and natural hazards, recognizing that the latter have a significantly higher likelihood of occurring in any given day or year.

Today, there is nearly a 100% probability that every water system, regardless of type or size, is at risk of such attacks. Consequently, adequate prioritization of cybersecurity risk management is essential to utility leadership meeting their fiduciary duty to their ratepayers.

Beyond this obligation, there are legal “motivators” to act responsibly. SDWA §1433 obligates covered systems to consider cyberthreats to the full gamut of information and operational technology deployed. Section 1433 goes on to require covered systems to have “strategies and resources to improve the resilience of the system.” This statutory expectation applies to both physical security and cybersecurity.

AWWA's cybersecurity guidance and assessment tool have provided a structured approach tailored to identifying what cyber vulnerabilities have the highest priority based on how a system uses technology. Recent revisions provide an updated approach that begins with cybersecurity fundamentals—“the first mile”—that will provide the most immediate risk-reduction value to systems where those measures are not already implemented.

AWWA's State of the Water Industry Report demonstrates that awareness of cyberthreats is higher than it has ever been, rising in the past several years to consistently rank in the top 10 utility manager concerns. Progress indeed, but not enough to convince various federal decision makers that enough has been done. There are recurring calls for greater regulatory oversight and enforcement by the US Environmental Protection Agency (EPA) or states. AWWA and partners are supporting policy initiatives designed to provide a sound footing for sensible, risk-based cybersecurity measures in the sector that include additional funding, technical assistance, and enhanced information-sharing.

AWWA also supports H.R. 2594, the Water Risk and Resilience Organization (WRRO) Establishment Act, which authorizes an independent, nongovernmental organization to develop minimum cybersecurity requirements for the water sector, with EPA oversight. The WRRO is modeled on provisions in the Energy Policy Act of 2005, which led to the designation of the National Electric Reliability Corporation as an Electric Reliability Organization with oversight by the Federal Energy Regulatory Commission. This type of sector-led governance structure was examined in a 2021 report prepared for AWWA and later highlighted in recommendations prepared by The Foundation for Defense of Democracies for congressional consideration to address concerns identified by the Cyberspace Solarium Commission.

A sector-led model is essential to ensure direct engagement by water system owners, operators, and subject-matter experts in the development of cybersecurity requirements that can be “right-sized” to the needs of water systems. The sector is well aware of the limitations of one-size-fits-all regulatory structures. The WRRO provides an opportunity for the sector to manage cybersecurity in a manner that builds and enhances cyber-security maturity.

Not only has legislation been introduced to establish a WRRO, but the sector has also been successful in promoting the introduction of bills to support the cybersecurity improvements in other ways. Companion bills, H.R.2109 and S.1018, would provide funding for circuit riders that support implementation of cybersecurity best practices at small systems. H.R.2344 would support improving water systems’ access to threat intelligence and information-sharing. The active support of the sector for these bills is essential to their passage into law and advancing a sustainable foundation improving water sector cybersecurity.