San José-Santa Clara Regional Wastewater Facility. Photo by John Cameron, Unsplash
Subscribe for Updates!
Join our mailing list to receive the latest news and updates from our team.
You have Successfully Subscribed!
Recent events highlight the fact that water systems are targets for cyber attacks. There are ways of strengthening defenses at little to no cost, but more needs to be done to implement them.
The EPA has warned states that foreign actors are targeting specific water system equipment with security vulnerabilities.
The EPA announced it would create a task force on cybersecurity for the water sector.
The American Water Works Association has developed no-cost resources that can improve cybersecurity.
In a mid-March letter to governors, Environmental Protection Agency (EPA) Administrator Michael Regan issued a warning about “disabling” cyber attacks against water and wastewater systems in the U.S. by hackers affiliated with the governments of Iran and China. This followed an earlier alert from the Cybersecurity and Infrastructure Security Agency (CISA) that computers used to control some systems were being targeted, in particular a specific device manufactured in Israel.
None of the attacks has had a significant impact on a water system, and CISA’s alert detailed which equipment was at risk, its vulnerability and what to do about it. But they were concerning enough to prompt the EPA to announce it was forming a Water Sector Cybersecurity Task Force, drawing on recommendations from state officials.
Protecting water systems from bad actors outside the U.S., or ransom-seeking criminals within it, is a complicated, multidimensional challenge. There are around 150,000 public drinking water systems in the U.S., as well as over 16,000 wastewater treatment systems that are publicly owned. More than 97 percent are small, serving 10,000 people or more, and are less likely to have dedicated information technology or cybersecurity staff.
The American Water Works Association (AWWA) is a nonprofit whose members include utilities that bring water to 8 in 10 Americans. AWWA’s Kevin Morley testified in two recent House hearings focused on collaborative approaches to water system cybersecurity.
Morley spoke with Governing about last month’s warning, the work AWWA has been doing with the federal government, and no-cost resources that are helping utility managers address vulnerabilities. Here are edited excerpts from that interview:
Governing: How serious was the incident in Pennsylvania late last year, when there was evidence of a breach by hackers affiliated with Iran?
Kevin Morley: I think we need to be cautious with a “sky-is-falling type” of discussion. That distracts people from the actual goals and objectives. It was an incident that was contained and managed in part because of the redundancies that water utilities have.
In many cases, they’re able to switch over to manual controls. That’s not always going to be the case, but it’s a testament to the resiliency of water systems and the inherent redundancy that we have in our operations to ensure continuity of service 24/7.
Governing: How would you characterize the overall state of attention to cybersecurity?
Morley: This is a very big and diverse sector that runs anywhere from large cities to small-town America. The needs and in-house capabilities to address cybersecurity are really different, especially when you get down to those smaller communities where they’re not going to have a CISO or a CIO.
We do an annual state of the industry report, and 10 or 15 years ago cybersecurity wasn’t on the list of top-ranked issues. Now it’s consistently in or close to the top 10. We’ve moved a very long way. We still have a way to go to get everybody to a common baseline, but that’s our objective with the resources we have developed and the work we’re doing with our federal partners.
Governing: Any important first steps in this direction?
Morley: CISA has a free vulnerability scanning service. A utility can enroll in that. You provide them with your IP address, and they scan Internet-facing systems. They’re looking at the same things that the bad guy sees when they’re looking at your network. They will then send a report to the end user about what they’ve seen and recommended mitigations.
That is very empowering to a utility with limited in-house capacity. What we’ve seen with entities that have enrolled is that there’s on the order of a 40 percent reduction in vulnerabilities within the first couple of months.
Governing: Is there enough awareness of this tool?
Morley: If a small or medium system with limited capacity happened to stumble onto that page on the CISA website, there was no explanation of the value proposition. We worked with CISA last summer and developed a fact sheet that really unpacks not only how you enroll in the process but also what the end user gets from being part of it.
Message simplification is really important. If you give anybody a list of 30 things to do, it’s a bit overwhelming. With the attacks that we were just talking about, publicly facing Internet devices were a principal mode of action.
How do we get rid of that risk? The vulnerability scanning service helps people discover that their devices are publicly facing. You add in some governance stuff on credentials and passwords, along with multifactor authentication, and you’re knocking off what have mostly been some fairly unsophisticated attacks across multiple sectors.
Governing: Where do the materials that AWWA has created fit into this?
Morley: When the NIST (National Institute of Standards and Technology) created the cybersecurity framework in 2014, we worked very closely with the Department of Homeland Security, EPA and NIST. When the framework came out we released our risk management tool on the same day.
At the front end of that tool is a set of questions. You answer them based on the technology that you use in your system, and you get a tailored bucket of controls that are most relevant. Then you go through an iterative process. Is the control recognized, fully implemented, partially implemented, on the capital plan?
Rather than going to leadership or management and saying you need $50,000 to do X, Y and Z you can say, “I’ve got an assessment that says I’ve implemented 60 percent of the priority one controls, and it would take us $50,000 over the next six months to get to 100 percent.” It changes the conversation from being a bunch of technical speak that people don’t necessarily understand to more of a business or risk management decision with some informed guidance.
In the small-systems version of that tool we broke it down to looking from the perspective of a fairly simple groundwater system that has minimal automation in its processes.
Governing: What more is needed?
Morley: Knowledge transfer is where the rubber hits the road, whether it’s our guidance or something else. Getting knowledge into the hands of owner-operators through a trusted partner like an AWWA or some of the other sector associations actually working in the field is the force multiplier that’s necessary.
The other piece is in the realm of what I would call “governance and oversight” or “accountability.” We’ve recommended an approach where we create an independent, non-federal entity to develop and lead the development of minimum cybersecurity practices using a risk- and performance-based approach with oversight from the EPA. It really needs to be tiered because what you would do for a small system isn’t really appropriate for the big system.
We need to bring everybody along in a way that is not overly punitive; we want people to be successful and we need to help them be successful. I think we’ve got the tools and the guidance to do that.
Governing
Governing: The Future of States and Localities takes on the question of what state and local government looks like in a world of rapidly advancing technology. Governing is a resource for elected and appointed officials and other public leaders who are looking for smart insights and a forum to better understand and manage through this era of change.
{"id":null,"mode":"form","open_style":"in_place","currency_code":"USD","currency_symbol":"$","currency_type":"decimal","blank_flag_url":"https:\/\/factkeepers.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/factkeepers.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":500,"top_media_type":"none","featured_image_url":false,"featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Leave a tip","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Factkeepers.com","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Help Support Factkeepers","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for being a supporter!","payment_confirmation_title":"Factkeepers.com","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to donate? You can change this amount to anything you would like.","initial":{"instruction_type":"normal","instruction_message":"How much would you like to donate? You can change this amount to anything you would like."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to donate? You can change this amount to anything you would like."},"invalid_curency":{"instruction_type":"error","instruction_message":"How much would you like to donate? You can change this amount to anything you would like."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to donate this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to donate this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to donate this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
