Bolstering Cyber Resilience in the US Water Sector: A Call to Action

Tomorrow, February 6, 2024, the House Homeland Security Committee will hold a hearing on securing US water systems from cyberattacks. Following last year’s widely publicized attack on the municipal water system in Aliquippa, Pennsylvania, Congress, the Cybersecurity and Infrastructure Security Agency (CISA), and industry leaders have rightly increased their focus on the unique risks facing water systems across the country. Tomorrow’s hearing follows a similar oversight hearing conducted last week in the House Energy and Commerce Committee.

 

There are more than 150,000 public drinking water systems in the United States, virtually all of which are administered and secured at local levels of government.  

 

Adversaries target municipal water systems

As the Aliquippa system attack shows, municipal water is a focused target of cyber adversaries, including nation-states. Damage to operational technology that controls municipal water would wreak havoc on American security, threaten lives, and disrupt vital services we rely on daily. We shouldn’t be surprised it’s an attractive target to nation-states and advanced threat actor groups. SecurityScorecard’s own research into the Aliquippa attack showed direct traffic links to Iranian threat actor groups in the lead-up to the incident. The US Government announced sanctions against six Islamic Revolutionary Guard Corps officials last week in response to the attack.

The Environmental Protection Agency (EPA) currently lacks regulatory authority to compel specific cyber defense measures at local levels of government for water system security. In early 2023, the EPA rolled out new regulatory requirements that would have directed water system operators to incorporate cyber risk assessments into annual safety inspections. Those rules were quickly challenged, and ultimately walked back.

 

Backing the Solarium 2.0 Commission’s legislation

The pace and scope of threats to our nation’s critical infrastructure will only continue to accelerate in the coming years. SecurityScorecard believes a new approach is needed to give under-resourced local water authorities new capabilities to monitor and respond to evolving threats. SecurityScorecard supports legislation that was developed by the Solarium 2.0 Commission—and is supported by water and wastewater stakeholders—to improve the state of cybersecurity across the sector. This legislation would authorize a new water risk and resilience organization to develop new cybersecurity risk management requirements for water authorities.  SecurityScorecard believes new authorities are needed to ensure that water systems have greater insight and best practices to reduce attack surfaces facing the sector. We call on Congress to approve this legislation and the Administration to sign this into law.

While this important legislation is considered, SecurityScorecard believes there are immediate steps that can be taken in the absence of new regulatory authorities to increase resilience and understanding of practical steps water authorities can take to improve their cybersecurity posture. For example, the EPA could mirror an approach deployed by the Transportation Security Administration following an attack on a pipeline operator by providing free access to water authorities to enable real-time internet threat monitoring to increase visibility into vulnerabilities facing small, medium, and large communities. The TSA implemented continuous risk monitoring outside of its regulatory authorities to ensure pipeline operators and the agency could see real-time metrics on risks facing the sector.  

In a world where cyberattacks on vital infrastructure are on the rise, SecurityScorecard is ready to act. Building on the success of our TSA partnership, we aspire to launch a transformative partnership in the water sector. Our goal is clear: to bolster resilience and empower water authorities with real-time threat identification and resolution. This approach, lauded by Deputy National Security Advisor Anne Neuberger as ‘game-changing,’ can protect national critical infrastructure against evolving threats.

SecurityScorecard stands ready to partner with local authorities to improve resilience. Reach out to us today and review our public sector use cases and success stories here.