Analysis & Opinions - Belfer Center for Science and International Affairs, Harvard Kennedy School

Clear, Actionable Ways to Enhance Cybersecurity in the Water Sector

| June 07, 2022

In May of 2022, Lauren Zabierek, Executive Director of the Cyber Project at the Harvard Kennedy School’s Belfer Center, and Sean Plankey, former Principal Deputy Assistant Secretary in the Office of Cybersecurity, Energy Security, and Emergency Response at Department of Energy, delivered a talk entitled, We Must Regulate Water and Wastewater Cybersecurity--Here's How, at Hack the Capitol 5.0. The talk was a small discussion during the day-long, multi-track event designed to educate congressional staffers, scholars, and the press on some of the most critical cybersecurity challenges facing our nation today.

Based on the article by Lauren and Belfer Cyber Project nonresident fellow, Selena Larson, this talk expanded on the concept from specifically the water and wastewater sector to encompass critical infrastructure more broadly. These recommendations (including specific water recommendations in the paper) are offered in the following categories:

Cybersecurity Legislation

Continuity of Economy

Water and Wastewater, Specifically

Pass mandatory cybersecurity regulations legislation for Critical Infrastructure:

  •  Congress provides Sector Risk Management Agencies (SRMAs) rulemaking authority under an amendment to the Administrative Procedure Act (APA).
  • SRMAs engage industry to develop sector specific rulemaking to minimize cybersecurity risk.
  • Require SRMAs to fund and staff advisory boards with participation from private industry and first responders (e.g. Electricity Sector Coordinating Council, Oil and Gas Sector Coordinating Council, National Maritime Security Advisory Committee).
  • Appropriate funding for municipal grants to provide a cybersecurity “standard of care” with breach notification requirements 

Set requirements for cyber disruption and disaster mitigation and response.

Authorize CISA as the standard maker for cybersecurity definitions, and allow the agency to update the definitions as the threat landscape & business models evolve.

Reframe the focus on “left and right of boom”planning. We live in an age of constant disaster

  • Cultivate a preventative vice reactive culture

Move Incident Response Mainstream:

  • Exercise more than the IT or Security Teams
  • Include cybersecurity in Business Continuity Planning for Disaster Response

Build Resiliency through Continuity of the Economy Planning

  • Continuity of the Economy Planning is required by law: The 2021 NDAA stipulated the President must create a plan within two years.  
  • The President must define who is in charge between the National Response Framework, PPD-41, and the National Cyber Incident Response Plan.

A plan must involve the states and their homeland security and emergency management offices in coordination with the federal Department of Homeland Security. 

It must also involve funding, regular exercise at a regional and national level, and collection of lessons learned

Appropriate state and local grant program for a cybersecurity “standard of care” with municipal utilities to include breach notification and mutual aid amongst providers.

Model after the CIP framework, incorporate cybersecurity rules into the Environmental Protection Agency (EPA) Sanitary Surveys

Add Cybersecurity of information and operational technology to the eight focus areas covered by the EPA Sanitary Survey. 

Create North American standards for OT sensors and actuators. Require engineering firms to incorporate cybersecurity into their device engineering design and require acceptance and testing.

Require detection and response plans aligned with NIST Cybersecurity Framework and coordinated with the relevant SRMA for all Critical Infrastructure.

Codify Water ISAC list of cybersecurity fundamentals into regulatory requirements for all water and wastewater facilities 

Address specific regulations based on common cyberattack behaviors such as:

  • Restricting remote access and externally accessible services
  • Requiring access controls on IT & OT assets
  • Immediately revoking access to outgoing employees
  • Maintain a resilient control system in which pressure and treatment functions can be manually run
  • Incorporate protective technology


For more information on this publication: Belfer Communications Office
For Academic Citation: Zabierek, Lauren and Sean Plankey.“Clear, Actionable Ways to Enhance Cybersecurity in the Water Sector.” Belfer Center for Science and International Affairs, Harvard Kennedy School, June 7, 2022.

The Authors

Sean Plankey