Cybersecurity has steadily risen as a priority for water infrastructure over the past few years, but operators and industry groups pled with Congress this week to fully fund existing programs and open up new subsidies to replace aging infrastructure, update digital defenses and train replacements for a rapidly aging workforce.
Representatives from the water sector testified in front of the House Homeland Security Committee Wednesday, painting a dire picture of utilities across the country with outdated equipment, systems that are increasingly a target for criminal and nation-state hackers and not nearly enough revenues or state and local funding to meaningfully address any of those problems.
That aging infrastructure has already resulted in preventable tragedies in Flint, Michigan and more recently Jackson, Mississippi, where years of neglect have created contaminated water supplies for huge population centers. But operators are also dealing with a heightened digital threat landscape where ransomware actors, foreign governments and malicious hackers are increasingly targeting water systems for disruption.
David Gadis, CEO and general manager for the District of Columbia Water and Sewer Authority, said that cybersecurity is fast becoming a central focus of his job. The authority already limits physical and remote access to their data systems, has continuous monitoring capabilities in place to scan for potential digital threats and can block some forms of cyber attack. But to do more, he said organizations like his will need help from the federal government.
He urged congressional appropriators to fully fund cybersecurity related programs authorized through the Infrastructure Investment and Jobs Act passed last year. One of those programs would empower the director of the Cybersecurity and Infrastructure Security Agency and the administrator of the Environmental Protection Agency to develop a framework for prioritizing systemically important assets in the water sector.
The agencies must assess how capable they are of defending against digital vulnerabilities and determine whether a cyber attack that rendered their systems inoperable would have broader effects on water infrastructure or availability. The agencies would also be on the hook for developing a technical support plan to assist those entities with things like penetration testing, vulnerability and risk assessments and other capabilities.
“I would ask that Congress continue its commitment to grow this water infrastructure funding, as there is still much work to be done,” Gadis told lawmakers, later adding “While these funding programs do shift efforts in a positive direction, they do not provide nearly enough financing to solve the growing issue that we have in front of us today.”
More money for cybersecurity is just one of many needs plaguing the water sector. According to a report by the American Society of Civil Engineers last year, there is at least a $1 trillion investment gap in water infrastructure. A successor group to the Cyberspace Solarium Commission housed at the Foundation for Defense of Democracies put out a report this year that asked lawmakers to consider a range of initiatives to boost digital security in the industry. Among the recommendations is designating the EPA as the sector risk management agency for the water sector and shifting more of its funding towards cybersecurity, requiring wastewater utilities to perform regular risk assessments. Also suggested is the creation of a new water and wastewater cybersecurity infrastructure improvement plan and a dedicated risk and resilience organization.
Ransomware, insider threats and shoddy access controls are at the heart of many threats against the water and wastewater industries, according to a joint alert crafted by multiple U.S. agencies Since the onset of COVID-19, these facilities are also increasingly reliant on remote login tools, like Remote desktop protocols, that have been persistently targeted by ransomware actors and other hacking groups during the pandemic.
Some lawmakers at the hearing remained focused on the possibility that malicious hackers could gain access to water systems and the damage they could cause. John Katko, the ranking Republican on the committee, called cyber vulnerabilities “the biggest threat to our country right now.”
“Five years ago I would have said ISIS-inspired acts of violence, now I think one of the greatest threats to the homeland is cyber and certainly it is in the water systems,” Katko said.
Those threats can come from both criminal hackers like ransomware groups, individuals like the (still unknown) actor who gained control of a water treatment plant in Oldsmar Florida last year to turn the water supply toxic. It can also come from foreign military or intelligence agencies that are increasingly probing and targeting U.S. critical infrastructure.
“We’re no longer dealing with cyber hackers, we’re dealing with nation sponsorship,” said Craig Fugate, former administrator of the Federal Emergency Management Administration under President Barack Obama. “This is pure adversaries; they’re no longer looking merely at causing chaos, they’re looking at how they can disrupt national security, our ability to mobilize, our economies and our confidence in government.”
The needs go beyond just money. Like many other critical infrastructure sectors, water utilities are dealing with an aging workforce where many of their employees with the most experience operating equipment and systems are scheduled to exit the workforce in the coming years.
John O’Connell III, vice president of the National Rural Water Association, told lawmakers that roughly half the nation’s water utility directors say they plan to retire in the next three or four years, with the number reaching as high as 75% in some states like New York. He said a massive number of people will need to be trained in quick fashion in order to avoid even more dire circumstances in the near future.
“You think you’ve got difficult times right this minute? Give yourself 3-4 years, and the magnitude of this problem [will grow] ten times over,” O’Connell said. “We need more people in the field to go to utilities at a no cost situation so we can provide these people with the proper training and give them more preparedness of what’s going to come down the road.”