Federal Cyber Mandates for Water Infrastructure Are Too Costly to Implement, Experts Say

Fortifying the cybersecurity protocols and technology surrounding water systems was raised as a priority infrastructure investment during a Congressional hearing on Wednesday, with lawmakers and experts characterizing recent hacking instances as major threats to public safety.

Witnesses underscored the challenges of applying advanced cybersecurity technology to water infrastructure systems—particularly in underserved communities—during the House Committee on Homeland Security hearing. 

“Maintaining a strong cyber defense is just as much a part of our infrastructure as maintaining our pipes and filtration systems,” David Gadis, the CEO of D.C. Water, testified. “Robust planning for cybersecurity is no longer optional in the water sector. It is a key part of what we do every day.”

He added that underfunded federal mandates put a disproportionate amount of strain on utility companies to handle cybersecurity infrastructure without adequate support––resulting in higher utility costs.

“Unfunded federal mandates are putting a lot of pressure on utilities, not only on the cyber side, but the infrastructure side,” he said. 

Gadis specified that D.C. Water developed its cybersecurity model after the guidelines put forth by the National Institutes of Standards and Technology, which specifically limits access to data systems that govern D.C. Water networks. 

He noted that federal engagement and partnerships that result in ample funding are key to maintaining strong cyber defenses and creating a resilient water infrastructure that can withstand hacks. Steady influxes of funding to support legislation focused on water infrastructure resilience, as well as training opportunities, were the most popular solutions presented by witnesses.

“Bottom line is training and people to provide that training at a no cost situation,” National Rural Water Association Senior Vice President John O’Connell said, noting that smaller and rural utility companies struggle to afford advanced technologies and adjacent training. He specifically referenced dwindling utilities jobs over the next three to four years as exacerbating the fallout from cyber attacks. 

“We need more people in the field to go to the utilities at a no cost situation so that we can provide these people with the proper training and give them more preparedness of what's to come down the road,” he said. 

The need for affordable training options would primarily benefit smaller utility companies that service more rural areas in the U.S. O’Connell said that these companies often do not have the contract specialists to even apply for available funding opportunities. A lack of hardware and technological infrastructure also hinders staff from accessing grant training.

“I can tell you that a lot of communities around the country still don't have…computers. They don’t have IT people,” he said. Increased federal resource allocation would help bridge the technological divide rural areas face and in doing so increase cybersecurity protections. 

Experts pointed to the real-world dangers that cyber-vulnerable water supplies present, as exemplified by the hack that occurred on the water supply in Oldsmar, Florida in early 2021. The water systems’ settings were augmented to harmfully change the chemical makeup of the town’s water supply. 

Part of President Joe Biden’s national infrastructure plan includes implementing a more robust cybersecurity posture to increasingly digitized infrastructure. Last week, the Department of Homeland Security announced a new federal funding initiative that allocated $1 billion to state and local cybersecurity programs aimed at threat reduction.