It’s rare that four government agencies issue a joint advisory on a potential threat to the basic health and welfare of the entire U.S. population. But that’s what happened in October when the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency and Environmental Protection Agency warned that U.S. water and wastewater systems are being targeted by “known and unknown” malicious actors.
Their warning is not a theoretical one. In February, a hacker or hackers breached the water-treatment system in Oldsmar, Florida, and attempted to raise the level of sodium hydroxide, or lye, in the water more than 100-fold – from 100 parts per million to 11,100 parts per million. Sodium hydroxide, used to control water acidity, is poisonous at high levels.
Though an alert employee noticed his computer mouse cursor moving on its own, reset the sodium hydroxide levels and alerted his supervisor, the danger was real. As Sen. Marco Rubio, R-Fla., said at the time, water-system cybersecurity is “a matter of national security.”
Unfortunately, amid the press of other news, the Oldsmar story faded quickly, and neither the general public nor members of Congress seemed to pay much attention to the unusual four-agency advisory in October. The $1.2 billion infrastructure bill that ultimately passed Congress paid more attention to energy and transportation-sector cybersecurity than water protection. It’s not too late to wake up to the risk, though.
In a recent report from the Foundation for Defense of Democracies, we found that the significant cybersecurity deficiencies in drinking water and wastewater systems result in part from structural challenges.
The United States has about 52,000 drinking water and 16,000 wastewater systems, many of which service communities of fewer than 10,000 residents. These systems operate with limited budgets and even more limited cybersecurity personnel and expertise. The automation of technology that these water utilities implemented over the past two decades to both save money and increase efficiency has also exposed them to malicious cyber activity that could disrupt or manipulate services.
The Environmental Protection Agency is supposed to provide support and technical assistance to secure the nation’s water and wastewater sector against physical and cyberthreats as a sector risk management agency. For more than two decades, however, the EPA has not been resourced or organized to fulfill that mission.
More than a year and a half ago, in fact, the congressionally mandated Cyberspace Solarium Commission warned of “insufficient coordination between the EPA and other stakeholders in water utilities’ security,” echoing years of reporting by the Government Accountability Office.
The EPA cannot effectively assess and support the water sector because of a lack of will to confront this national security crisis. It certainly wasn’t a good sign when now-EPA Administrator Michael Regan made no mention of cybersecurity at his nomination hearing Feb. 3, 2021, days before the Oldsmar hack. He was also not included in the White House Cybersecurity summit Aug. 25, even though it included a panel on critical infrastructure cybersecurity in the energy, financial and water sectors.
Fortunately, this is a problem that can be addressed with government resources and closer collaboration with industry. The EPA’s Office of Water needs significantly more personnel, and the Agriculture Department’s Circuit Rider Program could use funding to provide cyber-specific technical support to rural water systems. Just $5 million a year would pay for up to 50 cyber circuit riders, who would travel around the country providing technical assistance to water utilities in rural areas. Their presence and know-how would be a boon for online security.
Meanwhile, Congress need not appropriate new money to EPA’s water-sector grant programs but, rather, direct that some existing grants focus exclusively on cybersecurity issues. EPA, in turn, should provide funds to the Water Information Sharing & Analysis Center and water associations that have been providing technical support and training to water utilities in the EPA’s absence.
Most dramatically, government needs to work with industry: Establish an oversight regime that develops water-sector cybersecurity standards and solicit input from water utilities and associations on prospective regulations.
In August of last year, the American Water Works Association issued a paper outlining regulatory options for the sector. When industry is asking for federal oversight and standards, you know something is broken.
We need to get ready before the next Oldsmar, because make no mistake, another attack is coming. We just don’t know when or where.
Send questions/comments to the editors.