Regional approach could solve water sector’s cyber challenges
Vithun Khamsong via Getty Images
By
Chris Teale
The federal government has repeatedly warned of threats to critical infrastructure, which faces budget and staffing challenges. Better collaboration could help ease some of those challenges.
Critical infrastructure and its cybersecurity were once again in the news recently, as a leading federal agency warned of weaknesses in some of their technology.
An alert from the Cybersecurity and Infrastructure Security Agency issued early this month warned that “unsophisticated cyber actors” are targeting operational technology — the hardware and software that controls devices and processes — in the oil and gas sector. CISA said “poor cyber hygiene” is to blame, and it can lead to “significant consequences such as defacement, configuration changes, operational disruptions and, in severe cases, physical damage.”
The alert once again highlighted the challenges that critical infrastructure operators face, especially in cybersecurity, where limited staffing and budgets combine with aging and unsecure infrastructure to leave them vulnerable to bad actors at home and overseas. States have looked to combat these issues through a whole-of-state approach to cybersecurity, which recognizes shared threats and prioritizes information sharing, but experts said it remains an ongoing problem.
"Critical infrastructure must move from "if" to "when" thinking,” James McQuiggan, a security awareness advocate at security training company KnowBe4, said in an email. “Eight years after NotPetya disrupted global operations, we're still seeing attackers rely on tactics that should no longer be effective, yet they are. That clearly indicates that many critical infrastructure organizations haven't hardened their defenses fast enough."
The water sector, too, has had plenty of previews of what can go wrong if bad actors exploit vulnerabilities in their cybersecurity posture. In 2021, the Oldsmar, Florida, water treatment plant looked to have been breached when an employee reported their mouse moving remotely and changing chemical levels to a dangerous amount. That incident was later blamed on employee error, not a cyberattack, but it was an example of what could go wrong if critical infrastructure is hacked.
A report released this week by construction engineering company Black & Veatch found that the water industry is “acutely aware” of the effects a cyberattack could have in the physical world. The survey of 680 people involved in the U.S. water sector found that safety and public welfare are top priorities, and making leaders see cybersecurity investments as a way to invest in that safety is crucial.
“There's a fundamental shift we believe is happening, and it's going to more of a consequence-driven approach,” said Ian Bramson, Black & Veatch’s vice president of industrial cybersecurity and a co-author of the report. “[You] can have an IT attack that has an OT consequence, meaning I can shut down your operations. … Stealing my HR data is unfortunate, poisoning my water supply is a whole different level of risk. Follow the risk on this, and you're going to understand where this dynamic is going, and how important that industrial side of that cybersecurity becomes.”
A regional approach to cybersecurity could help alleviate some of those challenges, Bramson said. That way, utilities could use “economies of scale” to procure solutions, share information and even bring on specialized staff to help solve some of their cybersecurity issues. It might mean a big change for operators but could be a solution.
“You have to figure out where you can get some more funding, and then you have to work collaboratively with providers and these experts in the area to figure out where that solution is,” Bramson said. “That's going to get you uncomfortable sometimes saying, ‘I've always operated on my own, but if I can operate as a whole region, we've now become a whole regional supply of someone who does monitoring or whatever service that is, if we can go together on this issue.’”
A lot of work lies ahead, however. Bramson said each utility is at a different stage of the “maturity cycle,” with many still needing to carry out an initial cybersecurity assessment and find the expertise to perform those assessments. More than half of those surveyed prefer their cybersecurity duties be handled entirely or mostly in-house, but finding staff to handle those duties remains difficult, as does paying them. The industry will remain cash-strapped, Bramson said, especially as federal grants dry up.
“It's going to be a constant problem,” he said. “It's a constant problem, up and down. It's not just the water industry. Now you have to start stitching together other grants to at least get you started. There are rate discussions that you can have.”