When I speak publicly, I like to use the following narrative to drive home the point that we focus on the wrong things: if you get another letter from a credit card company telling you that your credit is being monitored for free because of yet-another-data-breach, you throw it away.
But if your toilet won't flush for 3 days or you can't trust your drinking water, it's a disaster.
There's a big difference between the theft of information and the disruption of services that keep us all alive—and the latter is increasingly under attack.
Regulating the Security of Water
We started CI Security specifically to focus on what we call critical infrastructure at the local scale—those IT-enabled processes, many operated by the public sector, that provide life-safety, life-sustaining, and quality of life services. That includes a lot of things, but the water sector is particularly important. There are a lot of things we can live without; water isn't one of them, and disruption of operational continuity in sewer operations would create an enormous public health hazard.
In the ecosystem that defines the Department of Homeland Security's efforts to protect critical infrastructure, each critical sector has a government coordinating council, a sector coordinating council, and a sector-specific agency (SSA). The SSA, in many cases, has the authority to regulate—and the SSA for the water sector is the EPA. Sadly, the EPA has not addressed the issue of information and operational technology security in the water sector, and only regulates water purity.
I don't think this condition will persist; it is likely that the EPA will start requiring self-assessments against the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), and have the results of a risk assessment and resulting corrective action plan ready and available for inspection.
Washington State has, to their credit, addressed this gap—albeit somewhat obliquely:
Every owner, agent, manager, operator or other person having charge of any waterworks furnishing water for public or private use, who shall knowingly permit any act or omit any duty or precaution by reason whereof the purity or healthfulness of the water supplied shall become impaired, shall be guilty of a gross misdemeanor.
Reducing Foreseeable Risks for Water Services
How does this apply? It is now broadly accepted that we should all assume breach, and not hide behind the rose-colored glasses of 'keeping the bad guys out'. IT security incidents today are foreseeable events, and in other sectors executives are being accused of negligence (and fired) for the failure to apply adequate resources to mitigate a foreseeable risk. At the federal level, the FTC is suing companies for negligent cyber security—illustrating the trend, if not the jurisdiction for an action against a public water utility.
And let me be clear, as I’ve had this conversation with Commissioners who insist that they possess no records worth stealing: this is not about unauthorized disclosure of records. Rather, it’s about resilience and preparing to take a punch to your continuity of operations. The information technology systems that house regulated records are important. However, the operational technologies, like the industrial control / SCADA systems that open and close valves, inject chlorine, and filter out contaminants, are at the most substantial risk here.
Ordinarily, the combination of criticality, rising threat, and dependence on IT would spur appropriate investments in IT and OT security. The American Water Works Association (AWWA) has even produced a nice primer to guide the type of controls that we would expect to find in any mature organization, yet it's clear that none of this is a priority.
The reason, I believe, is because for the most part water and sewer are public sector services, meaning that they have all the same financial challenges as your average city or county: biennial budgets, rigid competitive procurement rules, organized labor to bring to the table when something changes... and the path of least resistance is to maintain status quo. In a nutshell, government manages by landmine, and once that first person in Washington State is charged with failing to plan, it will become a priority for everyone not wanting to share that fate, but not before.
I've been told by a Commissioner for a rural water district that they don't invest because they're just too small, "they're going after the big guys.” This despite the fact that the federal government has specifically warned rural water systems on cyber threats.
The Future of Water Security: 4 Critical Areas of Focus
Specifically, based on CI Security's knowledge of IT, OT, and utility initiatives, we see 4 critical service areas of increasing importance requiring immediate attention and regulation:
- Digital transformation to "smart" utilities, starting with automated metering;
- Poor coordination between IT and OT—including patching Programmable Logic Controllers (PLCs);
- Third party security—vendors are now prime targets for threat actors to penetrate the network; and,
- Field telemetry and network head-end architecture—these additional exposures should be fully addressed within water and utility security programs.
Don't wait for the landmine. Call us, call someone. Get an assessment, and develop your right-sized, prioritized path forward in your security journey. We all depend on it.