A hack on municipal water and wastewater systems could have devastating consequences on an essential resource.
As a society, we are heading into a more turbulent period with increasing geopolitical conflicts. With that, new lines of attack are being opened which will be more coordinated, more complex and better funded than any we have seen before. The era where cyberattacks are limited to obvious finance and military targets is also over.
While past attempts to breach water organization networks and compromise American water supplies haven’t had much success (yet), the threat of a cyberattack happening anywhere at any time is enough to warrant throwing the full weight of technology and expertise behind securing America’s water infrastructure. Only one problem: water and wastewater cybersecurity is largely the responsibility of traditionally sub-federal utilities and plants that are often forced to make do with limited resources, operating across a patchwork of aging software systems.
The White House’s recent extension of President Biden’s public-private cyber task force to water and wastewater is an exciting and imperative development. It’s a federal move that will realize immediate, technology-powered local benefits to public health, safety and security. For this effort to be successful, however, it’s important to appreciate that a water authority in a rural town in Utah, Tennessee or Vermont should be as concerned about cybersecurity and threat detection as one servicing a metropolis like Miami, Los Angeles or New York City.
Hackers, and the tools they use to attack or attempt to infiltrate networks undetected, are more sophisticated than ever. When it comes to America’s national network of water and wastewater systems, cyber risks extend beyond IT and data vulnerabilities to public health and safety in the physical world. A hackable drawbridge or row of streetlights puts communities at risk of inconvenience. A vulnerable water supply or wastewater plant that can be infiltrated and rendered dangerous in a multitude of ways puts human lives in danger.
And then there’s the issue of resilience in the face of extreme weather, like the freeze that famously knocked power out in Texas last year, intensifying hurricane seasons plaguing the Atlantic coast, the megadrought out West and other natural forces impacting infrastructure security. People can live without electricity or transportation for extended periods of time. They simply cannot live without access to water services. Resilience is key in making sure systems, including water and wastewater, work under the most extreme conditions.
As we’ve seen from the COVID pandemic, issues tied to public health tend to be caught up in a broader, increasingly political conversation around truth and trust. For example, while America has some of the highest quality drinking water (most of the time) on the planet, it’s common for people to opt for bottled water—which can have up to 10x as much chemicals and/or pollutants as municipal water. While public trust in institutions from municipalities to the press has also wavered in recent years, it remains crucial to deliver accurate information to the public in the swiftest way possible—especially in crisis situations like a wastewater plant cyberattack.
Put simply, building trust with the public is as important as deploying cybersecurity technology and building infrastructure that actively protects water and wastewater resources.
Cities and towns around the U.S. need to match technology with strategy and information-sharing to successfully limit or, ideally, extinguish cyber threats to America’s water and wastewater systems. It’s not enough to have the best hardware or software. You need people who understand that threats to water and wastewater resources are more sophisticated than ever. Folks who know that attackers regularly find ways around firewalls, complex passwords, authentication software, security protocols and even physical barriers. And people who want to learn new and more sophisticated ways to protect the very systems—digital and physical—hackers might be after.
The meaning of national security in the U.S. expands with each new threat (foreign and domestic), technology, infrastructure modernization and sector undergoing digital transformation. That’s why it’s good to see the White House cyber task force is action-oriented and realistic about the enormity of the charge to protect America’s increasingly digital water and wastewater systems.
I’m particularly intrigued by the group’s dual promise to 1) help local water utilities prepare for cyber threats with strategic planning sessions and technical monitoring solutions and 2) set up a federal mechanism that enables local authorities to share cybersecurity data with peers across the U.S.
President Biden’s decision to extend the cyber task force to water and wastewater underscores the fundamental importance of water to everyone who lives in America. Protecting water that flows through systems—natural and utility-operated—to reach homes from Portland, Maine to Portland, Oregon is a noble and vital undertaking. And as world events with local implications like the COVID-19 pandemic and geopolitical tensions around the world persist, I’m hopeful the task force’s 100 day plan will be carried out in a swift, thoughtful, strategic and technology-driven way. I’m also optimistic that the public-private sector conversation around cybersecurity in the U.S. will include water and wastewater from now on.
It’s fair to say that a lot depends on it.
David Lynch is the co-founder and CEO of Klir, headquartered in Reno, Nevada.