With the growing concern about cyber threats to critical infrastructure in general, water utilities have seen an increasing amount of focus on the topic in their sector. Known cyber threats targeting water utilities have further emphasized the need for water utilities to assess the potential cyber risk to their systems. The inclusion of a cyber-component to emergency response plan requirements in the America’s Water Infrastructure Act of 2018 have water utilities of varying sizes tackling the ever changing cybersecurity threat as part of their normal operations.
For some utilities the question becomes where do they turn to in order to either start tackling the cyber threat, or how do they continue to improve the effectiveness of their cyber risk controls? Unfortunately there is no one size fits all answer. This is further complicated in that not only do they have to protect their information technology (IT) assets, but also their operational technology (OT) systems. Small utilities may not have a dedicated technology professional, much less a cybersecurity staff member.
Many utilities are turning to industry specific organizations such as the National Rural Water Association or the American Water Works Association which offer various resources to their members. These range from cybersecurity primer and guidance documents to in-person classroom training. Many of these organizations have state chapters which offer local and regional meetings and conferences where utility staff can not only learn about cybersecurity topics, but also network and discuss them with their peers.
State, local, county and tribal government entities, which often include water utilities, can obtain current threat information, tools and timely information on cyber trends from the Multi-State Information Sharing and Analysis Center (MS-ISAC). Many water sector organizations also sponsor an industry specific Information Sharing and Analysis Center known as WaterISAC which focuses on sector specific topics. For utilities just starting their cybersecurity readiness journey, WaterISAC has published a “Cybersecurity Fundamentals for Water and Wastewater Utilities” guide which contains best practices that water utilities can implement to reduce their security risks. Portions of this guide are contained within the Environmental Protection Agency’s “Water Sector Cybersecurity Brief for States” document as well. Another organization utility employees are turning to is Infragard, the FBI’s public-private outreach program has a specialized Water and Wastewater Sector component as well as regular in-person meetings and conferences across the nation.
While utilities tackle cybersecurity as part of their daily operations, government officials and agencies that manage emergency response are facing the challenge of how to respond to cyber threats against their water infrastructure. Many are partnering with various utilities to bridge the skills and resources gap in this area. Water utility staff are finding themselves participating in state run emergency response exercises where the scenarios have an increasing cyber component. The involvement of water utilities in these events help emergency mangers better understand some of the water industry specific components which affect their response in a disaster. This helps not only in creating better cyber response plans, but grows the network of skilled cyber defenders emergency management can reach out to in the event of an actual emergency.
As the Department of Homeland Security has identified the supply of water as a key component of their new National Critical Functions Set, it is certain that protecting water infrastructure from cyber threats will continue to grow in importance.