In Brief:
In a mid-March letter to governors, Environmental Protection Agency (EPA) Administrator Michael Regan issued a warning about “disabling” cyber attacks against water and wastewater systems in the U.S. by hackers affiliated with the governments of Iran and China. This followed an earlier alert from the Cybersecurity and Infrastructure Security Agency (CISA) that computers used to control some systems were being targeted, in particular a specific device manufactured in Israel.
None of the attacks has had a significant impact on a water system, and CISA’s alert detailed which equipment was at risk, its vulnerability and what to do about it. But they were concerning enough to prompt the EPA to announce it was forming a Water Sector Cybersecurity Task Force, drawing on recommendations from state officials.
Protecting water systems from bad actors outside the U.S., or ransom-seeking criminals within it, is a complicated, multidimensional challenge. There are around 150,000 public drinking water systems in the U.S., as well as over 16,000 wastewater treatment systems that are publicly owned. More than 97 percent are small, serving 10,000 people or more, and are less likely to have dedicated information technology or cybersecurity staff.
The American Water Works Association (AWWA) is a nonprofit whose members include utilities that bring water to 8 in 10 Americans. AWWA’s Kevin Morley testified in two recent House hearings focused on collaborative approaches to water system cybersecurity.
Morley spoke with Governing about last month's warning, the work AWWA has been doing with the federal government, and no-cost resources that are helping utility managers address vulnerabilities. Here are edited excerpts from that interview:
Governing: How serious was the incident in Pennsylvania late last year, when there was evidence of a breach by hackers affiliated with Iran?
Kevin Morley: I think we need to be cautious with a “sky-is-falling type” of discussion. That distracts people from the actual goals and objectives. It was an incident that was contained and managed in part because of the redundancies that water utilities have.
In many cases, they’re able to switch over to manual controls. That's not always going to be the case, but it’s a testament to the resiliency of water systems and the inherent redundancy that we have in our operations to ensure continuity of service 24/7.
Governing: How would you characterize the overall state of attention to cybersecurity?
Morley: This is a very big and diverse sector that runs anywhere from large cities to small-town America. The needs and in-house capabilities to address cybersecurity are really different, especially when you get down to those smaller communities where they're not going to have a CISO or a CIO.
We do an annual state of the industry report, and 10 or 15 years ago cybersecurity wasn't on the list of top-ranked issues. Now it’s consistently in or close to the top 10. We've moved a very long way. We still have a way to go to get everybody to a common baseline, but that's our objective with the resources we have developed and the work we're doing with our federal partners.
Governing: Any important first steps in this direction?
Morley: CISA has a free vulnerability scanning service. A utility can enroll in that. You provide them with your IP address, and they scan Internet-facing systems. They're looking at the same things that the bad guy sees when they're looking at your network. They will then send a report to the end user about what they’ve seen and recommended mitigations.
That is very empowering to a utility with limited in-house capacity. What we've seen with entities that have enrolled is that there's on the order of a 40 percent reduction in vulnerabilities within the first couple of months.
Governing: Is there enough awareness of this tool?
Morley: If a small or medium system with limited capacity happened to stumble onto that page on the CISA website, there was no explanation of the value proposition. We worked with CISA last summer and developed a fact sheet that really unpacks not only how you enroll in the process but also what the end user gets from being part of it.
Message simplification is really important. If you give anybody a list of 30 things to do, it's a bit overwhelming. With the attacks that we were just talking about, publicly facing Internet devices were a principal mode of action.
How do we get rid of that risk? The vulnerability scanning service helps people discover that their devices are publicly facing. You add in some governance stuff on credentials and passwords, along with multifactor authentication, and you’re knocking off what have mostly been some fairly unsophisticated attacks across multiple sectors.
Governing: Where do the materials that AWWA has created fit into this?
Morley: When the NIST (National Institute of Standards and Technology) created the cybersecurity framework in 2014, we worked very closely with the Department of Homeland Security, EPA and NIST. When the framework came out we released our risk management tool on the same day.
At the front end of that tool is a set of questions. You answer them based on the technology that you use in your system, and you get a tailored bucket of controls that are most relevant. Then you go through an iterative process. Is the control recognized, fully implemented, partially implemented, on the capital plan?
Rather than going to leadership or management and saying you need $50,000 to do X, Y and Z you can say, “I’ve got an assessment that says I’ve implemented 60 percent of the priority one controls, and it would take us $50,000 over the next six months to get to 100 percent.” It changes the conversation from being a bunch of technical speak that people don't necessarily understand to more of a business or risk management decision with some informed guidance.
In the small-systems version of that tool we broke it down to looking from the perspective of a fairly simple groundwater system that has minimal automation in its processes.
Governing: What more is needed?
Morley: Knowledge transfer is where the rubber hits the road, whether it's our guidance or something else. Getting knowledge into the hands of owner-operators through a trusted partner like an AWWA or some of the other sector associations actually working in the field is the force multiplier that's necessary.
The other piece is in the realm of what I would call "governance and oversight" or "accountability." We’ve recommended an approach where we create an independent, non-federal entity to develop and lead the development of minimum cybersecurity practices using a risk- and performance-based approach with oversight from the EPA. It really needs to be tiered because what you would do for a small system isn't really appropriate for the big system.
We need to bring everybody along in a way that is not overly punitive; we want people to be successful and we need to help them be successful. I think we've got the tools and the guidance to do that.
