Analysis & Opinions - Belfer Center for Science and International Affairs, Harvard Kennedy School
Clear, Actionable Ways to Enhance Cybersecurity in the Water Sector
In May of 2022, Lauren Zabierek, Executive Director of the Cyber Project at the Harvard Kennedy School’s Belfer Center, and Sean Plankey, former Principal Deputy Assistant Secretary in the Office of Cybersecurity, Energy Security, and Emergency Response at Department of Energy, delivered a talk entitled, We Must Regulate Water and Wastewater Cybersecurity--Here's How, at Hack the Capitol 5.0. The talk was a small discussion during the day-long, multi-track event designed to educate congressional staffers, scholars, and the press on some of the most critical cybersecurity challenges facing our nation today.
Based on the article by Lauren and Belfer Cyber Project nonresident fellow, Selena Larson, this talk expanded on the concept from specifically the water and wastewater sector to encompass critical infrastructure more broadly. These recommendations (including specific water recommendations in the paper) are offered in the following categories:
Cybersecurity Legislation
Continuity of Economy
Water and Wastewater, Specifically
Pass mandatory cybersecurity regulations legislation for Critical Infrastructure:
- Congress provides Sector Risk Management Agencies (SRMAs) rulemaking authority under an amendment to the Administrative Procedure Act (APA).
- SRMAs engage industry to develop sector specific rulemaking to minimize cybersecurity risk.
- Require SRMAs to fund and staff advisory boards with participation from private industry and first responders (e.g. Electricity Sector Coordinating Council, Oil and Gas Sector Coordinating Council, National Maritime Security Advisory Committee).
- Appropriate funding for municipal grants to provide a cybersecurity “standard of care” with breach notification requirements
Set requirements for cyber disruption and disaster mitigation and response.
Authorize CISA as the standard maker for cybersecurity definitions, and allow the agency to update the definitions as the threat landscape & business models evolve.
Reframe the focus on “left and right of boom”planning. We live in an age of constant disaster
- Cultivate a preventative vice reactive culture
Move Incident Response Mainstream:
- Exercise more than the IT or Security Teams
- Include cybersecurity in Business Continuity Planning for Disaster Response
Build Resiliency through Continuity of the Economy Planning
- Continuity of the Economy Planning is required by law: The 2021 NDAA stipulated the President must create a plan within two years.
- The President must define who is in charge between the National Response Framework, PPD-41, and the National Cyber Incident Response Plan.
A plan must involve the states and their homeland security and emergency management offices in coordination with the federal Department of Homeland Security.
It must also involve funding, regular exercise at a regional and national level, and collection of lessons learned.
Appropriate state and local grant program for a cybersecurity “standard of care” with municipal utilities to include breach notification and mutual aid amongst providers.
Model after the CIP framework, incorporate cybersecurity rules into the Environmental Protection Agency (EPA) Sanitary Surveys.
Add Cybersecurity of information and operational technology to the eight focus areas covered by the EPA Sanitary Survey.
Create North American standards for OT sensors and actuators. Require engineering firms to incorporate cybersecurity into their device engineering design and require acceptance and testing.
Require detection and response plans aligned with NIST Cybersecurity Framework and coordinated with the relevant SRMA for all Critical Infrastructure.
Codify Water ISAC list of cybersecurity fundamentals into regulatory requirements for all water and wastewater facilities
Address specific regulations based on common cyberattack behaviors such as:
- Restricting remote access and externally accessible services
- Requiring access controls on IT & OT assets
- Immediately revoking access to outgoing employees
- Maintain a resilient control system in which pressure and treatment functions can be manually run
- Incorporate protective technology
For more information on this publication:
Belfer Communications Office
For Academic Citation:
Zabierek, Lauren and Sean Plankey.“Clear, Actionable Ways to Enhance Cybersecurity in the Water Sector.” Belfer Center for Science and International Affairs, Harvard Kennedy School, June 7, 2022.
The Authors
Lauren Zabierek
- Former Executive Director, Cyber Project
Sean Plankey
- Former Principal Deputy Assistant Secretary in the Office of Cybersecurity, Energy Security, and Emergency Response at Department of Energy
Related
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Analysis & Opinions
- WIRED
Nervous About ChatGPT? Try ChatGPT With a Hammer
Analysis & Opinions
- Georgetown Journal of International Affairs
GPTs, Software Engineering, and a New Age of Hacking
In the Spotlight
Most Viewed
Paper
- Belfer Center for Science and International Affairs, Harvard Kennedy School
Prospects for Direct Air Carbon Capture and Storage: Costs, Scale, and Funding
Paper
- Belfer Center for Science and International Affairs, Harvard Kennedy School
Attacking Artificial Intelligence: AI’s Security Vulnerability and What Policymakers Can Do About It
Newspaper Article
- The Times of London
Professor Unmasks Russian Spy Who Stole the Secrets of Concorde
In May of 2022, Lauren Zabierek, Executive Director of the Cyber Project at the Harvard Kennedy School’s Belfer Center, and Sean Plankey, former Principal Deputy Assistant Secretary in the Office of Cybersecurity, Energy Security, and Emergency Response at Department of Energy, delivered a talk entitled, We Must Regulate Water and Wastewater Cybersecurity--Here's How, at Hack the Capitol 5.0. The talk was a small discussion during the day-long, multi-track event designed to educate congressional staffers, scholars, and the press on some of the most critical cybersecurity challenges facing our nation today.
Based on the article by Lauren and Belfer Cyber Project nonresident fellow, Selena Larson, this talk expanded on the concept from specifically the water and wastewater sector to encompass critical infrastructure more broadly. These recommendations (including specific water recommendations in the paper) are offered in the following categories:
Cybersecurity Legislation | Continuity of Economy | Water and Wastewater, Specifically |
|---|---|---|
Pass mandatory cybersecurity regulations legislation for Critical Infrastructure:
Set requirements for cyber disruption and disaster mitigation and response. Authorize CISA as the standard maker for cybersecurity definitions, and allow the agency to update the definitions as the threat landscape & business models evolve. | Reframe the focus on “left and right of boom”planning. We live in an age of constant disaster
Move Incident Response Mainstream:
Build Resiliency through Continuity of the Economy Planning
A plan must involve the states and their homeland security and emergency management offices in coordination with the federal Department of Homeland Security. It must also involve funding, regular exercise at a regional and national level, and collection of lessons learned. | Appropriate state and local grant program for a cybersecurity “standard of care” with municipal utilities to include breach notification and mutual aid amongst providers. Model after the CIP framework, incorporate cybersecurity rules into the Environmental Protection Agency (EPA) Sanitary Surveys. Add Cybersecurity of information and operational technology to the eight focus areas covered by the EPA Sanitary Survey. Create North American standards for OT sensors and actuators. Require engineering firms to incorporate cybersecurity into their device engineering design and require acceptance and testing. Require detection and response plans aligned with NIST Cybersecurity Framework and coordinated with the relevant SRMA for all Critical Infrastructure. Codify Water ISAC list of cybersecurity fundamentals into regulatory requirements for all water and wastewater facilities Address specific regulations based on common cyberattack behaviors such as:
|
The Authors
Lauren Zabierek
- Former Executive Director, Cyber Project
Sean Plankey
- Former Principal Deputy Assistant Secretary in the Office of Cybersecurity, Energy Security, and Emergency Response at Department of Energy
Related
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Analysis & Opinions - WIRED
Nervous About ChatGPT? Try ChatGPT With a Hammer
Analysis & Opinions - Georgetown Journal of International Affairs
GPTs, Software Engineering, and a New Age of Hacking
In the Spotlight
Most Viewed
Paper - Belfer Center for Science and International Affairs, Harvard Kennedy School
Prospects for Direct Air Carbon Capture and Storage: Costs, Scale, and Funding
Paper - Belfer Center for Science and International Affairs, Harvard Kennedy School
Attacking Artificial Intelligence: AI’s Security Vulnerability and What Policymakers Can Do About It
Newspaper Article - The Times of London
Professor Unmasks Russian Spy Who Stole the Secrets of Concorde
