February 8, 2022
Steve Mustard, Board Member of Mission Critical Global Alliance (MCGA)
It has taken more than 20 years, but there is at last acknowledgement that the cybersecurity threat to the United States (U.S.) critical infrastructure is significant, and we must act. Nowhere is this more apparent than in the nation’s water and wastewater sector. There are over 145,000 active public water systems in the U.S. and its territories. The Safe Drinking Water Act defines 97% of these systems as “small,” meaning they serve 10,000 or fewer people. These systems have limited resources to manage the threat to their operations. We collectively need to help such systems as the impact to them affects us all.
Despite a growing awareness, cyber-related incidents in critical infrastructure sectors continue to occur apace, and now regularly impact the public. The City of Oldsmar public water system narrowly avoided a potentially catastrophic situation in February 2021. Shortly afterwards, Colonial Pipeline shut down its operations for a week. Both incidents occurred because of inadequate attention paid to basic cybersecurity controls.
Our country is collectively investing significant amounts in cybersecurity, and there is widespread availability of frameworks, standards, and guidelines that define the actions organizations need to take. Despite the availability of such resources, we remain incredibly vulnerable.
No New Regulations
There is a growing sense that we need to do something more. Unfortunately, many are turning to regulation for the answer. Evidence is at best mixed on whether regulation improves cybersecurity posture. While some organizations have no doubt improved their posture under pressure of regulatory punishment, there are many cases showing that even this threat is insufficient. In 2019, federal authorities fined Duke Energy a record $10M for 127 violations of regulations designed to protect our electric system. Many of the violations related to fundamental requirements such as awareness training of employees and electronic access control, requirements that organizations should be doing irrespective of regulation.
Even if regulations were the answer, they will take time to develop. Time that we do not have the luxury to spend. The electric system infrastructure protection regulation process began in 2008 and revisions to the regulations continue to this day. Furthermore, punishing a public water system for a failure to comply with regulations is not the best use of resources. Cash-strapped public water systems need to invest funds in improving their protection, not paying fines.
The private sector focuses on selling products and services that address cybersecurity issues, but few are focusing on the fundamental issues that continue to leave our critical infrastructure vulnerable. Technology is one part of the problem, but the people and process issues remain unaddressed. Many focus on the technical aspects of the Oldsmar and Colonial Pipeline incidents, yet they ignore the people and process failures that allowed insecure remote access methods to remain in place in these incidents.
If we are to make a real impact on our cybersecurity posture, we need to recognize that good cybersecurity management begins with a well-trained current workforce. People may be the weakest link in an organization, but they are also the first line of defense. No amount of regulation will help if a water system operator is unaware of the importance of basic cyber hygiene. Furthermore, regulations place another burden on an already thinly stretched workforce. Regulation without training or support is not only ineffective, but it also distracts from addressing the real issues affecting a public water system.
“Our country is collectively investing significant amounts in cybersecurity, and there is widespread availability of frameworks, standards, and guidelines that define the actions organizations need to take. Despite the availability of such resources, we remain incredibly vulnerable.”
The Mission Critical Global Alliance (MCGA) and the National Rural Water Association (NRWA) believe that we need to address the cybersecurity threat to our public water systems by first training personnel and responsible management to understand the problem. Key to understanding the problem is recognizing that public water system risks encompass physical, cybersecurity, and operational aspects. Cybersecurity assessment tools and methodologies designed for larger organizations are not well suited to addressing these unique challenges. Once water system personnel understand the problem, they can identify, prioritize, and address their vulnerabilities in a rigorous manner from a people, process, and technology perspective:
People – Train everyone to anticipate a cybersecurity incident and know how to respond. Training should also help all water system employees understand how to spot insecure behaviors and stop them, and how to specify secure system and service requirements to vendors.
Process – Remove insecure methods such as uncontrolled remote access to systems, and tighten-up processes related to joiners, movers, and leavers to ensure that disgruntled former employees or contractors are unable to exploit their access credentials.
Technology – Implement secure architectures and use secure software solutions. Avoid free software. Remove unnecessary software from control system workstations and servers to limit exposure to other vulnerabilities.
With the correct training, water system personnel will understand that their highest priority vulnerabilities can be resolved with minimal cost and effort.
We need a cultural shift in our attitude to cybersecurity, one that is like the safety culture in our critical infrastructure. Everyone in a public water system needs to be aware of the potential for a cybersecurity incident and needs to do their part to intervene before one occurs.
MCGA aims to make operational security within NRWA a culture rather than the completion of exhaustive checklists where the goal is to complete the list rather than learning and improving. A well-trained and aware public water system workforce will be much more effective than any regulation.
Business leaders, government, and industry turn to Mission Critical Global Alliance (MCGA) as a trusted resource in dedicated to enhancing the resilience of mission critical infrastructure through our expertise in advocacy, skills standards development, education, research, workforce development, and professional certifications. MCGA is a 501(c)3 nonprofit organization.
The National Rural Water Association (NRWA) is a non-profit organization dedicated to training, supporting, and promoting the water and wastewater professionals that serve small and rural communities across the country.
NRWA provides training and technical assistance through 49 affiliated State Rural Water Associations that currently have over 31,000 utility system members. Rural Water training and technical assistance covers every aspect of operating, managing and financing water and wastewater utilities.