Locally run water utilities need more financial help from the federal government to fend off cyber threats, as well as more expertise and support from security professionals, witnesses told lawmakers last week.
Several witnesses at the House Homeland Security Committee hearing lamented the impact of unfunded federal mandates, which strain local dollars and prevent normally publicly run water utilities from investing in other areas such as cybersecurity.
David Gadis, the CEO and general manager of the District of Columbia Water and Sanitation Department, also cited the cost of chemicals, which is increasing by $17 million from year to year, as an example of other expenses preventing adequate cyber investments, even as threats multiply .
“Maintaining strong cyber defenses is as much a part of our infrastructure as maintaining our pipes and filtration systems,” Gadis said in his written statement. “Solid cybersecurity planning is no longer an option in the water sector – it is an important part of our daily work.”
Elected officials and witnesses highlighted recent cyber events to show the seriousness of the problem. John O’Connell, senior vice president of the National Rural Water Association (NRWA), said in his written testimony that hacks on systems in Oldsmar, Florida, and Ellsworth, Kansas showed smaller communities can be “a target” for cybercrime .
The Cybersecurity and Infrastructure Security Agency and the National Security Agency recently released a recommendation for those who operate critical infrastructure control systems, warning of the risks they face and recommending a number of actions operators can take to mitigate mitigate threats. The agencies warned that the continued integration of information and operational technology “may provide cyber actors with a larger attack surface in cyber-physical environments.”
Rep. John Katko (RN.Y.), the committee’s senior member, said in his written testimony that the Oldsmar incident, in which hackers altered the chemicals in the water treatment system and could have endangered local residents, had they not been stopped, “First demonstrated -hand the devastating real-world consequences that a cyber attack can have.”
Craig Fugate, a former administrator at the Federal Emergency Management Agency, said that cyber threats are affecting all critical infrastructure and that attackers now include nation-states, which he says are “impairing national security, our mobilization capabilities, our economies and our trust in government.” .”
But even in the face of these threats, costs for local water utilities continue to mount. Gadis said the costs are “outrageous,” especially as unfunded federal mandates put pressure on companies and they try not to pass those costs on to taxpayers. O’Connell said this could mean downsizing – he noted he works part-time at the NRWA – or using resources “beyond” what is available.
MP James Langevin (DR.I.) noted that in a 2021 survey by the Water Sector Coordinating Council, 73% of respondents said they had between zero and two network security staff, adding that lawmakers “appreciates the challenges involved”. with finances.
In addition, witnesses stressed the need for partnerships between federal agencies and local water utilities, and the need to share resources and expertise. The Environmental Protection Agency is set to give states more regulatory powers over cybersecurity in the water sector, but Gadis said the federal government also needs to be a strong partner.
One solution O’Connell proposed is a Department of Homeland Security initiative that would implement what he described in his testimony as “national cooperative cybersecurity water supply protection,” which he said would “result in communities turning to… would focus on improving security based on local risks. ”
“Only local experts who are familiar with each system can identify the most vulnerable elements in the community and identify imminent threats,” O’Connell continued. “This initiative could provide means to quickly assess the effectiveness of all small water utilities in protecting their cyber infrastructure, develop adequate protocols to improve protection, provide assistance with an inadequate cyber protection plan, and document the state of cyber protection in all small water utilities.”