Water utility cyber investments stymied by unfunded mandates, fiscal pressures
Sunrise at New Croton Dam in New York state. Michael Orso/Getty Images
During a House committee hearing, utility representatives said they need more federal money and partnerships to face down cyber threats.
Locally run water utilities need more financial help from the federal government to stave off cyberthreats, as well as more expertise and assistance from security experts, witnesses told lawmakers last week.
Several witnesses at the House Homeland Security Committee hearing bemoaned the effects of unfunded federal mandates, which stretch local dollars and prevent water utilities, which are typically publicly run, from investing in other areas like cybersecurity.
David Gadis, the CEO and general manager of the District of Columbia Water and Sewer Authority, also cited the cost of chemicals jumping by $17 million from one year to the next as an example of other expenses that prevent proper cyber investment, even as threats multiply.
“Maintaining a strong cyber defense is just as much a part of our infrastructure as maintaining our pipes and filtration systems,” Gadis said in his written testimony. “Robust planning for cybersecurity is no longer optional in the water sector – it is a key part of what we do every day.”
Elected officials and witnesses highlighted recent cyber events to show the severity of the problem. John O’Connell, senior vice president at the National Rural Water Association (NRWA), said in his written testimony that hacks on systems in Oldsmar, Florida, and Ellsworth, Kansas, showed that smaller communities “can be a target” for cybercrime.
The Cybersecurity and Infrastructure Security Agency and the National Security Agency recently published an advisory for those who operate critical infrastructure control systems, warning of the risks they face, and recommending a number of steps operators can take to mitigate any threats. The agencies cautioned that the continued integration of information and operational technology can “provide cyber actors with a larger attack surface into cyber-physical environments.”
Rep. John Katko (R-N.Y.), the committee’s ranking member, said in his written testimony that the incident in Oldsmar in which hackers altered the chemicals in the water treatment system and could have endangered residents had they not been stopped “demonstrated first-hand the devastating, real-world consequences that a cyber attack can have.”
Craig Fugate, a former administrator of the Federal Emergency Management Agency, said the cyberthreats are across all critical infrastructure and that attackers now include nation-states, which he said are looking to “disrupt national security, our ability to mobilize, our economies and our confidence in government.”
But even in the face of those threats, expenses continue to spiral for local water utilities. Gadis said the costs are “outrageous,” especially as unfunded federal mandates put pressure on the companies, and they try to avoid passing those costs to ratepayers. O’Connell said it can mean cutting staff positions — he noted that he works part-time at the NRWA — or using resources that are “above and beyond” what is available.
Rep. James Langevin (D-R.I.) noted that in a 2021 survey by the Water Sector Coordinating Council, 73% of those surveyed said they had between zero and two employees dedicated to network security, adding that lawmakers “appreciate the challenges” associated with finances.
In addition, witnesses emphasized the need for partnerships between federal agencies and local water utilities and the need to share resources and expertise. The Environmental Protection Agency is set to give states more regulatory authority over the water sector’s cybersecurity, but Gadis said the federal government must be a strong partner as well.
One solution O’Connell floated is a Department of Homeland Security initiative that would implement what he described in his testimony as “national collaborative cybersecurity water supply protection” which, he said, “would result in communities focusing on enhancing security based on local risks.”
“Only local experts knowledgeable of the individual systems can identify the most vulnerable elements in the community and detect immediate threats,” O’Connell continued. “This initiative could provide funding to rapidly assess the efficacy of all small water utilities in protecting their cyberinfrastructure, develop reasonable protocols to enhance protection, provide assistance to any inadequate cyber protection plan, and document the state of the cyber protection in all small water supplies.”