Cybersecurity needs to be top priority in nation’s water utilities
In February 2021, with a few clicks of a mouse, a hacker remotely adjusted the chemicals at a water treatment system in Oldsmar, Fla. Had the change not been detected, it would have turned the community’s water into poison.
That cyberattack came on the heels of another hacker breaching the drinking water system that serves parts of the San Francisco Bay area. In that cyberattack, programs used to treat water were deleted. The hack went unnoticed until the following day.
In both attacks, hackers exploited the same computer program to illegally access the water systems’ controls. In each case, quick-thinking employees and redundancy in the treatment systems saved entire communities from drinking, cooking and showering with dangerously contaminated water.
Unfortunately, the level of cyber sophistication at water systems varies greatly, and because the sector is such a target-rich environment, water utilities are ripe for cybersecurity attacks.
To better understand the cyber-related challenges facing the water sector, it helps to understand the demographics of drinking and wastewater systems compared to the electric sector.
There are about 3,300 electric utilities in the United States. The water sector, however, has about 50,000 individual community systems, more than half of which serve fewer than 500 customers.
The disparity between the physical, financial and cybersecurity resources at each of those 50,000 systems is often stark. The sector is fractured further by varying compliance and regulatory structures. Adding to the complexity is the sobering reality that too many system operators have been lax in their investments in physical and cybersecurity-related areas.
Understanding how vulnerable America’s water systems are to cyberthreats and bad actors and recognizing that the public health and economic impacts of a successful cyberattack would be dire is exactly the kind of thing that keeps utility operators up at night.
The National Association of Water Companies (NAWC) has represented the companies that 73 million Americans trust to engineer solutions that deliver safe, reliable, and affordable water since 1895.
More than 90 percent of NAWC members have a cybersecurity plan in place; however, NAWC’s members are the exception, not the rule, when it comes to preparedness and cybersecurity in the water sector. That’s why NAWC supports establishing national standards as a means of safeguarding all water systems from cyberattacks and protecting the communities they serve.
On Wednesday, May 18, NAWC is hosting its annual Cybersecurity Symposium in Washington, D.C. to discuss guiding principles for the sector’s path forward on this key issue.
We urge the Biden administration and Congress to continue making cybersecurity throughout the nation’s water sector a top priority. State and federal initiatives aimed at driving uniform cybersecurity compliance for all water and wastewater systems, as proposed by the Biden administration, are critical.
NAWC and its member companies welcome the reexamination of the cybersecurity oversight model for the water and wastewater industry and embrace requirements such as mandatory risk-based foundational standards.
One key step Congress can take immediately is establishing a North American Water Reliability Council (NAWRC) to manage the development of compliance standards and audit implementation of those standards. The NAWRC should be an independent, sector-led organization, not a government agency that mirrors the model used by the electric sector.
We believe NAWRC’s creation is an important piece of the puzzle to safeguard critical water and wastewater infrastructure, to provide a clear path forward for managing compliance standards and to defend the nation from cyberattacks.
Another important component to protect the U.S. water supply is establishing a new regulatory office that mirrors the Federal Energy Regulatory Commission. Housed in the Environmental Protection Agency, the office would oversee NAWRC’s proposed compliance standards for the drinking and wastewater sectors.
NAWC and its member companies have an ongoing commitment to safeguarding our water and wastewater infrastructure from cyberattacks and keeping water safe, clean and affordable.
Water is vital to our health and safety as well as our economic and national security. As the cybersecurity risks and threat vectors continue to grow and become more sophisticated, we can and must, continue to proactively improve the cybersecurity position across the entire drinking water sector. It is the surest path to a resilient water sector that is able to protect the communities we serve.
Robert F. Powelson is the president and CEO of the National Association of Water Companies (NAWC). He joined NAWC after serving on the Federal Energy Regulatory Commission. Powelson previously served on the Pennsylvania Public Utility Commission from 2008-2017, spending four years as Commission chairman. Powelson is the past president of the National Association of Regulatory Utility Commissioners (NARUC) and chairman of NARUC Committee on Water.
Gloss