US water at risk: Hackers thrive while feds stay idle.

December 25, 2023
2 mins read

Ominous warnings from the federal government early this month cautioning of the “malicious cyber activity against operational technology” commonly used by water and wastewater providers must serve as a wake-up call for the nation — especially when it concerns the only public utility service we ingest. Last month, cyber actors compromised computer systems designed to control and monitor equipment used to ensure safe and reliable water and wastewater service in Aliquippa, Pa. During the same time frame, the North Texas Municipal Water District experienced disrupted phones and impacted business computer systems when hackers said they obtained personal customer information.

Unfortunately, this is not new. In January 2021, a hacker deleted the programs used to treat water in parts of the San Franciso Bay area . One month later, a bad actor in Oldsmar, Fla., remotely adjusted the chemicals for the water treatment system creating a scenario where the area’s water could have turned into poison. Thankfully to date, unauthorized access to these sensitive systems has not impacted public health or our environment. However, the importance of ensuring the safety and reliability of our critical water and wastewater assets from cyber-related attacks cannot be overstated.

The level of cyber sophistication at the nation’s water and wastewater facilities varies greatly. To comprehend the inconsistencies, it helps to understand the highly fragmented nature of the water and wastewater industry. The United States has about 50,000 drinking water systems , 85 percent of which are government-run — and approximately 16,000 wastewater systems , of which around 90 percent are government-run. To put that in perspective, the nation has about 3,300 electric utilities . The disparity among each of those 50,000 systems is often stark.

The sobering reality is that too many system operators have been lax in their investments in not only the physical infrastructure but also cybersecurity-related areas. At the National Association of Water Companies, where I am president and CEO, over 90 percent of members have a cybersecurity plan in place. However, these companies are often the exception, not the rule, when it comes to preparedness and cybersecurity in the water sector. In 2021, NAWC worked to develop cybersecurity pillars to serve as guiding principles around cybersecurity, compliance and the sector’s path forward on this key issue. NAWC and its member companies have the technical and financial capacity to tackle these challenges using the cyber pillars as our guide.

Right now, the lack of universal cybersecurity standards for all water and wastewater utilities is resulting in certain systems failing to meet basic compliance standards. These issues should be addressed in a way that is innovative and universally accepted by all systems, regardless of ownership. NAWC believes a national cyber mandate should be enacted to protect our community water and wastewater operations. We are calling on Congress to authorize the selection and creation of a water risk and resilience organization that would develop, implement and enforce cybersecurity risk and resilience requirements responsive to cyber threats and the needs of drinking and wastewater systems. Inspired by a successful model implemented in the U.S. electric sector, the organization would work in close partnership with the Environmental Protection Agency while bringing the sector-specific experience and knowledge necessary to protect the nation’s water infrastructure from cyber threats effectively and efficiently.

Protecting our water and wastewater systems is vital to our health and safety as well as our economic and national security. As cyberattacks continue to grow more sophisticated and the threats continue to grow, we must improve cybersecurity across the entire water and wastewater sector to protect our communities.

Latest from Blog

Top CISA official looks back on four years of cyber work

TLDR: Eric Goldstein, a top official at CISA, reflects on progress made in cybersecurity during his tenure. Key achievements include understanding cyber risks, collaboration with industry, and encouraging secure product development. Eric

Juggling AI cybersecurity highs and lows

TLDR: At the 2024 MIT Sloan CIO Symposium, industry leaders discussed the challenge of balancing AI’s benefits with its security risks, particularly focusing on generative AI. While generative AI can bring benefits

Get your free Cyber Security eBook now Valued at $169

“`html TLDR: Key Points: Claim your complimentary eBook worth $169 for free before May 22. The eBook covers practical applications of cyber security and network security for professionals, engineers, scientists, and students.