Water utilities across the country are plagued by a lack of cybersecurity funding and qualified personnel, a ThreatLocker report warns, as officials work to create new guidelines on securing critical infrastructure.
Danny Jenkins, CEO and cofounder of the cybersecurity firm ThreatLocker, was terrified when he first heard the details behind a cyberattack on a Florida water treatment plant earlier this year.
Officials said hackers exploited an outdated version of Windows in an apparent attempt to poison the water supply for a local community. Jenkins wasn't just alarmed that hackers had successfully managed to gain remote access to the plant's TeamViewer software to jack up levels of sodium hydroxide to a lethal dosage, but that a single operator could potentially tamper with the chemical levels - regardless of whether that person was a hacker or utility employee.
"Why was an operator, a single person, able to turn a dial that could poison the water?" Jenkins said in a recent interview with FCW. "Water companies tend to live in the past because their technologies live in the past … Regardless of the IT parts of this and the controls we put in place, the limitations need to be put in place as well."
On Tuesday, ThreatLocker published a report titled Protecting water infrastructure against cyberattacks, which explores issues water utilities have faced when looking to improve their cybersecurity posture. Jenkins said he hoped the report can serve as a framework for officials tasked with creating new guidelines on best cybersecurity practices for water management and other critical industries ahead of a Sept. 22 deadline from in the recent White House memorandum on improving cybersecurity for critical infrastructure control systems.
Water utilities plagued by lack of IT cybersecurity funding
ThreatLocker's report detailed severely limited information technology (IT) and operational technology (OT) financial resources for water utilities across the country.
For example, at least 38% of systems nationwide have allocated less than 1% of their overall budgets to IT cybersecurity, according to Information Systems Audit and Control Association's (ISACA) "Cybersecurity 2021 State of the Industry." Another 22.1% of systems were allocating just 1% to 5% of their budgets towards addressing IT cybersecurity issues.
State and local infrastructure advocates have testified on Capitol Hill in recent weeks about the need for increased federal investments in cybersecurity resources around water infrastructure for rural and small communities.
The $1 trillion infrastructure bill currently being considered in the U.S. Senate also includes a section on cybersecurity support for public water systems as part of a planned $48.4 billion investment in water infrastructure. The bill tasks the Cybersecurity and Infrastructure Security Agency (CISA) to prioritize risks to public water systems and the sources of drinking water. Under the bill, federal officials will provide site vulnerability and risk assessments, along with additional support and consultation, for public water systems which CISA determines should be prioritized for cybersecurity support.
A federal auditing process for water utilities similar to the one detailed in the legislation may also help provide clearer, standardized regulations for any public water system hoping to improve its cyber posture, Jenkins said.
Experts at a Senate Environment and Public Works Committee hearing in July pointed to federal initiatives they said were currently underutilized, like the Rural Water Circuit Rider Program, which can provide technical assistance like cybersecurity training and other resources to water utilities and their employees.
The water industry has largely failed to establish clear, universal guidelines around cybersecurity on its own, the report noted, with water infrastructure management typically left up to local municipalities or private firms.
A recent Water Information Sharing and Analysis Center (Water-ISAC) survey showed a majority of water utilities have yet to fully assess risks to their own IT assets.
Though added financial resources can go a long way in improving cyber posture, Jenkins noted water utilities were in need of clear guidance on how to spend funds in order to adequately protect their infrastructure.
"I hope the government is putting together tangible guidance which people can actually follow as opposed to vagueness," he said. "Everyone wants a list of ways to move forward. Nobody knows what to do right now."