Ominous warnings from the federal government early this month cautioning of the “malicious cyber activity against operational technology” commonly used by water and wastewater providers must serve as a wake-up call for the nation — especially when it concerns the only public utility service we ingest. Last month, cyber actors compromised computer systems designed to control and monitor equipment used to ensure safe and reliable water and wastewater service in Aliquippa, Pa. During the same time frame, the North Texas Municipal Water District experienced disrupted phones and impacted business computer systems when hackers said they obtained personal customer information.
Unfortunately, this is not new. In January 2021, a hacker deleted the programs used to treat water in parts of the San Franciso Bay area . One month later, a bad actor in Oldsmar, Fla., remotely adjusted the chemicals for the water treatment system creating a scenario where the area’s water could have turned into poison. Thankfully to date, unauthorized access to these sensitive systems has not impacted public health or our environment. However, the importance of ensuring the safety and reliability of our critical water and wastewater assets from cyber-related attacks cannot be overstated.
The level of cyber sophistication at the nation’s water and wastewater facilities varies greatly. To comprehend the inconsistencies, it helps to understand the highly fragmented nature of the water and wastewater industry. The United States has about 50,000 drinking water systems , 85 percent of which are government-run — and approximately 16,000 wastewater systems , of which around 90 percent are government-run. To put that in perspective, the nation has about 3,300 electric utilities . The disparity among each of those 50,000 systems is often stark.
The sobering reality is that too many system operators have been lax in their investments in not only the physical infrastructure but also cybersecurity-related areas. At the National Association of Water Companies, where I am president and CEO, over 90 percent of members have a cybersecurity plan in place. However, these companies are often the exception, not the rule, when it comes to preparedness and cybersecurity in the water sector. In 2021, NAWC worked to develop cybersecurity pillars to serve as guiding principles around cybersecurity, compliance and the sector’s path forward on this key issue. NAWC and its member companies have the technical and financial capacity to tackle these challenges using the cyber pillars as our guide.
Right now, the lack of universal cybersecurity standards for all water and wastewater utilities is resulting in certain systems failing to meet basic compliance standards. These issues should be addressed in a way that is innovative and universally accepted by all systems, regardless of ownership. NAWC believes a national cyber mandate should be enacted to protect our community water and wastewater operations. We are calling on Congress to authorize the selection and creation of a water risk and resilience organization that would develop, implement and enforce cybersecurity risk and resilience requirements responsive to cyber threats and the needs of drinking and wastewater systems. Inspired by a successful model implemented in the U.S. electric sector, the organization would work in close partnership with the Environmental Protection Agency while bringing the sector-specific experience and knowledge necessary to protect the nation’s water infrastructure from cyber threats effectively and efficiently.
Protecting our water and wastewater systems is vital to our health and safety as well as our economic and national security. As cyberattacks continue to grow more sophisticated and the threats continue to grow, we must improve cybersecurity across the entire water and wastewater sector to protect our communities.