NIST on tap to improve cybersecurity of water systems

Waste water pumps at a Boston-area water treatment facility.

Waste water pumps at a Boston-area water treatment facility. David L. Ryan/The Boston Globe via Getty Images

The National Institute of Standards and Technology (NIST) hopes a new project will create a set of best practices to help the nation’s complex water and wastewater systems bolster their cybersecurity posture.

The National Institute of Standards and Technology is seeking public input on a new project aiming to develop a cybersecurity reference architecture for the water and wastewater systems sector.

The National Cybersecurity Center of Excellence is leading the effort in collaboration with technology providers, the water and wastewater sectors and other stakeholders, and plans to publish a NIST SP 1800 series practice guide as a result of the project, according to an announcement published last week. 

The announcement comes as the federal government ramps up efforts to secure the nation's complex water systems infrastructure, which contains an estimated 152,000 publicly owned water systems and nearly 16,000 publicly owned treatment systems – many of which vary in size, capabilities and available resources. The new project "will demonstrate use of existing commercially available products to mitigate and manage" cybersecurity threats targeting water and wastewater systems, according to NCCoE. 

Studies paint a bleak picture of the current cybersecurity posture at water and wastewater systems nationwide. A ThreatLocker report published last year said that at least 38% of nationwide water systems allocate less than 1% of their budgets to Information Technology (IT) cybersecurity, and a Water Information Sharing and Analysis Center (Water-ISAC) survey revealed that a majority of water utilities have not yet fully assessed the risks to their IT assets. 

Water sector leaders have previously urged Congress and the Environmental Protection Agency to step up oversight efforts, describing their sector as the "weakest link" in America's critical infrastructure. 

The Cybersecurity and Infrastructure Security Agency (CISA) is also planning to prioritize efforts to bolster cybersecurity for water and other critical infrastructure sectors in 2023, according to Director Jen Easterly, who said at a recent Mandiant conference that "target-rich, resource-poor entities" require further collaboration to "drive down risks to all of our national critical functions."

But many water and wastewater systems are also "utilizing data-enabled capabilities to improve utility management, operations, and service delivery," NIST noted in its announcement, adding that "the increasing adoption of network-enabled technologies by the sector merits the development of best-practices, guidance, and solutions to ensure that the cybersecurity posture of facilities is safeguarded."

The public has until Dec. 19 to provide input on a draft project description for the new initiative.