The computer systems that control a region's utilities run on common technology platforms and are vulnerable to hackers.
The greater use of computer systems to monitor and control the U.S. water supply has increased the importance of cybersecurity to protect the country's utilities, a top official for a large water company said on Monday.
Comment on this article in The Forum."There are new vulnerabilities and threats every day of the week," said Bruce Larson, security director for American Water, one of the country's largest water service companies. "The technology has advanced, along with the threat's access. A keyboard in Afghanistan can talk to computers in the U.S. We need to take a look at this."
Larson discussed the issue during an event at the U.S. Chamber of Commerce as part of National Preparedness Month.
The industrial control systems water and other utility companies use run on common technology platforms such as Microsoft Windows, which leaves them vulnerable to attacks from hackers or enemy states seeking to disrupt the country's water supply. In addition, a major natural disaster such as a hurricane could shut down servers, forcing a disruption in the supply of water and wastewater services.
"We're taking the full-spectrum, all-hazards approach," said Larson. "We need to bake security into the next generation of control systems."
Most of the nation's water supply infrastructure is privately owned so the Homeland Security Department must work with industry as well as state and local agencies to help protect critical infrastructure. To that end, the American Water Works Association released a roadmap earlier this year detailing its plans to secure all water control systems. Part of the difficulty is water companies vary greatly in terms of size and mission; while many have fully staffed IT departments, others rely on only a handful of people or are without a dedicated tech specialist.
Larson said ensuring continuity of control systems was crucial to protecting the nation's water supply. He suggested that agencies and companies have backup servers, computers and parallel IT infrastructures in place in the event of an attack or natural disaster to prevent disruption of service. For guidance, Larson said the water sector was turning to other public utility industries, which have been working on similar issues for years.
"The threats and risks are common with other sectors, so we gain a little commonality," he said. He mentioned the oil, gas and electrical industries along with the Nuclear Regulatory Commission as examples of groups grappling with similar challenges. "They're doing the same stuff, it's very similar; we just have to personalize it to our sector," Larson said.