It's Time to Regulate Water and Wastewater Cybersecurity--Here's How

Amid a heightened threat environment in which U.S. water infrastructure is increasingly vulnerable to cyberattacks, the time to set cybersecurity regulations--and provide funding for state, local, and private organizations to meet them--is now. 

A joint advisory, recently released by CISA, FBI, EPA, and the NSA, detailed ongoing threats to the operational technology (OT) and information technology (IT) systems by known and unknown threat actors to U.S. water infrastructure. While it is unclear who is behind the threats, or their intent for targeting these systems, what is clear is that everyday people and families in the United States are vulnerable to disruptions to our water supply and wastewater systems.  

Disruptions to water and wastewater IT and OT systems, such as the attempted poisoning of the water supply in Oldsmar, Florida could be catastrophic.  As the Colonial Pipeline cyberattack and the spate of cyberattacks against hospitals and schools prove, threat actors increasingly target critical infrastructure seeking to disrupt those services or at the very least, instill fear in citizens in the United States that their governments cannot provide basic services. 

Despite ample discussion about norms regarding appropriate behavior and cyberspace--such as the affirmation of the applicability of the law of armed conflict (meaning that nations should not target citizens)-- the low barrier to entry and distributed capabilities (often for sale) mean that nonstate actors who don’t abide international law and norms are in the game and can use the cyber domain to achieve their financial goals.  The line between state and nonstate actors in cybersecurity is increasingly blurred, too--resulting in ever-increasing technical sophistication even among criminals. 

An Increasing Threat

The ransomware attack on Colonial Pipeline brought the threat of ransomware into sharp focus for much of the general public and policymakers and may eventually be considered a turning point in the fight against the vast cybercriminal operations targeting the underpinnings of society. But ransomware attacks on critical infrastructure, including water and wastewater resources, are not new. 

For example, ransomware impacted the Lansing Board of Water & Light in 2016; the North Carolina Onslow Water and Sewer Authority in 2018; and Riviera Beach, Florida in 2019. Baltimore, Maryland is still feeling the impacts from the 2019 RobbinHood ransomware attack. According to a recent report in Baltimore Brew, city officials blamed operational and maintenance issues in its water infrastructure on “the impact of the 2019 ransomware attack on Baltimore City and the COVID-19 pandemic.” (Ransomware is not the only threat to the water system. The Oldsmar event demonstrates the threat to remote services that was highlighted in October 2021, when a Kansas man pleaded guilty for remotely accessing and shutting down the Post Rock Rural Water District plant and one of its treatment filters in 2019). 

Water and wastewater entities, like many critical infrastructure organizations such as factories or oil pipelines, are at high risk of exploitation from cyber threat actors focused on ransomware. While email is still a common initial infection vector for potentially disruptive attacks, ransomware threat actors have begun leveraging vulnerabilities in remote services, network appliances, and externally-facing networking equipment to gain initial access to target systems. Despite patches available for many of the vulnerabilities exploited by threat actors, fixing them and improving cybersecurity postures overall requires commitments in time, human resources, and finances. Many critical infrastructure organizations, including those responsible for the distribution and safety of our water systems, are deep in technical debt. That is, computers and other assets often rely on outdated software and firmware that either cannot be upgraded due to restrictions on functionality or financial support. Additionally, many of the organizations are small and under-resourced -- one or two people might oversee system administration and IT functions as well as the security of everyone’s computers in the office and the plant, or the organization might rely heavily on third-party vendors or city staff for security operations. 

Security Gaps

The water and wastewater sector recognizes its shortcomings. According to the 2021 State of the Sector Cybersecurity report published by the Water Sector Coordinating Council (WSCC), the top concerns for utilities are the need for cybersecurity training and education; technical assistance, assessments, and tools; threat information sharing; and financial support from federal loans and grants. The biggest challenge for large utilities serving more than 100,000 customers is “creating a cybersecurity culture within the utility.” 

Meeting these standards takes time and money.  And that’s why bills like the State and Local Cybersecurity Improvement Act (led by NH Senator Maggie Hassan) are crucial to getting funding to states and municipalities to bolster their cybersecurity of critical services. Moreover, legislation to mandate reporting of cyberattacks like the Cyber Incident Reporting Act of 2021 are necessary to track and measure attacks so that we may better understand who is attacking us and how they’re doing it--and to understand how threats are evolving.  “We cannot create sound cybersecurity policy and craft appropriate response options without first understanding the problem,” says Klara Jordan of the Cyber Peace Institute.    

The onus should not be on individual asset owners to address these structural issues, rather, the sector should take a holistic approach. That is why the federal government must step in to leverage its lawmaking power where the market has been unable to incentivize better, systemic security.  In a recent Homeland Security Committee hearing on cybersecurity requirements for transportation safety, former NPPD Undersecretary Suzanne Spaulding noted, “The purely voluntary approach [to cybersecurity] simply has not gotten us to where we need to be, despite decades of effort. Externalities have long justified regulation and mandates such as with pollution and highway safety." According to Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, The Biden Administration had sent language to Congress recommending granting the EPA more authority over the water sector’s cybersecurity, saying current requirements are “largely piecemeal, and in many cases, they’re not used to the degree needed in order to set a minimum required [security] threshold.”  

“There isn’t a one-size-fits-all approach to effectively implementing cybersecurity controls to critical industrial systems, like water systems; however, there are some fundamental approaches that need to be applied in nearly all cases.  Identifying appropriate cybersecurity controls is dependent upon risk and consequence. I would support some regulatory requirements for setting a baseline level of security that can be incrementally improved upon over time but also think that lawmakers need to understand the resource challenges, both financial and personnel based, that water utilities face. Those limitations need to be factored into how regulatory requirements are structured,” says Gus Serino, principal ICS security analyst at the industrial cybersecurity firm Dragos.

As an example, the electric sector has regulatory bodies that could be used as a blueprint for the water and wastewater industry to help achieve the necessary requirements for improving cybersecurity. In North America, the bulk electric system is required to adhere to cybersecurity rules and regulations known as the Critical Infrastructure Protection (CIP) reliability standards. These are overseen by the North American Electric Reliability council (NERC) and the Federal Energy Regulatory Commission (FERC). For over a decade, the cybersecurity regulations have required electric power entities to meet fundamental requirements in things like vulnerability management, network monitoring and access restrictions, information sharing, and incident detection and response. 

Serino also noted the water sector could substantially benefit from the concept of collective defense, in which industrial critical infrastructure sectors overall would share the output of their threat detection and security monitoring programs into an anonymized, shared data set in as close to real-time as possible. Under such a framework, all industrial sectors could have access to the most up-to-date information about ongoing campaigns and the Tools, Techniques, and Procedures observed in the wild.

And while the public often hears about ransomware attacks impacting manufacturing, meat packing, oil and gas, and water facilities, electric utilities are conspicuously absent from the conversation. Cybersecurity regulations likely play a major role in preventing the most disruptive impacts. 

Summary of Recommendations

America's Water Infrastructure Act of 2018 includes requirements to conduct assessments of the impact of a cyberattack on water operations, but does not direct utilities to fix issues that are identified during the assessment. The bipartisan water infrastructure bill passed by the Senate earlier this year includes some language on tackling cybersecurity with financial support and efforts to identify existing problems, but does not establish requirements or a roadmap to improve cybersecurity overall. 

One solution might be to take inspiration from the CIP framework and incorporate cybersecurity rules into an already existing regulatory framework: the Environmental Protection Agency (EPA) Sanitary Surveys. The EPA is the regulatory body for water and wastewater entities and requires Community and Non-Community Water Systems to conduct regular reviews of water systems to ensure the safety and availability of the public water system. Cybersecurity of information and operational technology could be added to the eight areas covered by the Sanitary Survey. 

Serino recommends multiple key aspects for regulation: maintaining a resilient control system in which pressure and treatment functions can be manually run in the event of a cyber disruption; incorporating protective technology such as endpoint detection and monitoring; and requiring effective and robust detection and response plans. The Water ISAC publishes a list of cybersecurity fundamentals all water and wastewater facilities should be using, that may be codified into regulatory requirements.

But regulators should hone in on specifics based on common cyberattack behaviors. Restricting remote access and externally accessible services; requiring strict access controls for employees and vendors on all IT and OT assets; and immediately revoking access to outgoing employees can all significantly reduce the risk of attacks such as ransomware, the Oldsmar breach, or insider threats.

Best practices in cybersecurity for critical infrastructure sectors exist, but we must standardize and mandate them, especially across the water and wastewater sector, and ensure states and municipalities have the resources to meet them. These systems are vulnerable to attack, meaning that people living in affected communities could suffer, and we cannot wait for a catastrophic event to take action.