Officials and water sector professionals warned of ongoing cybersecurity vulnerabilities in the nation’s water and wastewater utility infrastructure at a Senate hearing on escalating cyber attacks against U.S. utilities and water-management organizations.
“I believe that the next Pearl Harbor, the next 9/11 will be cyber, and we are facing a vulnerability in all of our systems, but water is one of the most critical and I think one of the most vulnerable,” said Sen. Angus King (I-Maine), co-chairman of the Cyberspace Solarium Commission to the Senate Environment and Public Works Committee, on July 21.
Rep. Mike Gallagher (R -Wis.) said in his testimony before the committee that 44.8% of U.S. water and wastewater utilities allocate less than 1% of their budget to the cybersecurity of their operational technologies. “This leaves the water sector vulnerable to nation, state, and criminal adversaries and insider threats and gives them the ability to disrupt our critical infrastructure,” he said.
Challenges to the water sector range from maintaining awareness of threats to assessing risks to identifying and remediating vulnerabilities. And a shortage of qualified cybersecurity professionals across the country compounds the problems, Gallagher said. King, Gallagher, committee Chairman Ben Cardin (D -Md.), and ranking member Shelley Moore Capito (R-W.Va.) all noted that the recent cyber intrusion at a water plant in Oldsmar, Fla., was typical of the type of threat the water sector faces.
John Sullivan, chief engineer of the Boston Water and Sewer Commission, said before the committee that while his organization is well-funded and has successfully fended off cyber intrusions without ever paying a ransom, the gaps in both funding and technology savvy between the larger water utilities and operators and ones operated by smaller government bodies are vast. The Boston Water and Sewer Commission is the largest and oldest water system in New England and provides drinking water and sewer services to more than 1 million people daily. “The larger cities are able to afford this, but more information, more timely information is needed,” Sullivan said. “When you get to smaller units of government, there are so many other issues competing for resources.”
Sullivan said that many system managers do not have awareness of security issues, and that many local municipalities need funding to replace outdated systems. He added that switching to newer water system management technologies and engaging in best practices will help water sector managers better understand and fend off cybersecurity threats.
Sen. Moore Capito observed that the average age of water industry professionals is over 50 and that newer recruits look at cybersecurity differently. Sullivan and several other speakers echoed the fact that most professionals in the water management sector are of an older generation. Moore Capito said she expects the committee will include cybersecurity policies in a prospective water bill, which she said the committee is beginning work on.
“We’re not just going to rely on smart people [who] sit in their chair for 40 years and become super experts,” says Colby Manwaring, CEO of Innovyze, a cloud-based water and wastewater systems management and optimization technology firm recently acquired by Autodesk.
Manwaring told ENR that technology upgrades could free up staff time to better focus on the challenges facing water systems, and not just cybersecurity.
“We want to automate those repetitive, somewhat predictable tasks that are taking smart people’s time, so they can come up with innovative solutions that eventually progress from manual problem solving to semi-manual to automatic,” he said. “I don’t think we’re going to run out of problems to solve in the water industry any time soon.”