States and Congress wrestle with cybersecurity at water utilities amid renewed federal warnings

The recent cyberattack on the Municipal Water Authority of Aliquippa in Pennsylvania has prompted renewed warnings from U.S. security officials about the vulnerability of water utilities. Hackers gaining control of automated equipment could potentially shut down pumps or contaminate drinking water. The danger is not limited to Iran; it also extends to other hostile geopolitical rivals such as China. Many states have sought to increase scrutiny of cybersecurity in water utilities, but the sector lacks the necessary funds and expertise. Additionally, some cybersecurity measures have been met with resistance from private water companies, who argue that public authorities should adhere to stricter regulatory standards.

Key Points:

• Water utilities are vulnerable to cyberattacks that could disrupt drinking water supplies or contaminate the water.
• States have sought to increase scrutiny of cybersecurity, but water utilities lack the funds and expertise necessary to implement effective measures.
• Some private water companies have pushed for cybersecurity measures, but public authorities argue that this is a backdoor to privatization.

With a lack of action in Congress, some states have taken the lead in passing legislation to address cybersecurity concerns in water utilities. New Jersey, Tennessee, Indiana, and Missouri have all passed laws to bolster cybersecurity in the sector. California commissioned a law to develop plans to improve cybersecurity in the agriculture and water sectors. However, other states, such as Pennsylvania and Maryland, have resisted such legislation due to concerns about funding and potential privatization.

The demands of cybersecurity often take a backseat to other pressing needs for water utilities, including maintaining aging pipes and complying with clean water regulations. Cybersecurity also proves difficult to invest in when funds are already limited, and some water utilities argue that private companies are using cybersecurity as a pretext for privatization. However, proponents of cybersecurity legislation argue that it would protect the quality and safety of tap water, instilling public confidence and increasing willingness to use it.

To address the lack of funding for water utilities, Pennsylvania State Rep. Rob Matzie is working on legislation to create a funding stream for cybersecurity upgrades. The U.S. Environmental Protection Agency (EPA) proposed a rule in 2021 to require states to audit the cybersecurity of water systems, although it was quickly met with legal challenges from three states and ultimately withdrawn by the EPA. The American Water Works Association and the National Rural Water Association, two groups representing public water authorities, have opposed the EPA rule and are now supporting bills in Congress to regulate cybersecurity in water utilities.

Without action from Congress, the Safe Drinking Water Act standards will remain in place, which both the EPA and cybersecurity analysts acknowledge have yielded minimal progress. States can apply for grants from a $1 billion federal cybersecurity program, but water utilities must compete with other sectors, such as hospitals and police departments, for the funds. Dragos Inc., a cybersecurity company, has offered free access to its software and support for water and electric utilities drawing under $100 million in revenue. However, more needs to be done to ensure the cybersecurity of water utilities nationwide.