Critical Infrastructure Security
,
Governance & Risk Management
,
Operational Technology (OT)
Fragmented Governance and Scarce Resources Make America’s Water Sector Vulnerable
America’s water utilities are the nation’s most cyber-vulnerable critical service sector, but their cybersecurity is overseen and supported by an ill-fitting patchwork of government agencies and most lack the resources to meet the threat they face, a congressional panel heard Thursday.
See Also: How Cyberattacks Can Turn Battery Farms Into Grid Blackouts
“The far-reaching implications of a successful cyberattack that disrupts water treatment and distribution systems cannot be overstated,” declared Rep. Scott Franklin, R-Fla., chairman of the environment subcommittee of the House Science, Space and Technology Committee. “A cyberattack on water systems could lead to widespread ramifications across different sectors, including chemicals, manufacturing and energy … It can also severely impact emergency response operations, hospitals, firefighters and food production” (See: Russian Attacks on Polish Water Utilities Use Fear as Weapon).
Vulnerabilities in aging IT systems are compounded by the extensive use in the sector of supervisory control and data acquisition systems, Franklin said, a type of operational technology “which is one of the highest risk targets for cyberattacks.”
There are more than 50,000 water systems in the U.S. serving communities ranging in size from a few hundred people to millions in a major metropolitan area.
Other panel members and witnesses emphasized the resource gap faced by water utilities, especially smaller ones, which rely on an often shrinking user base that can’t afford big raises in water rates.
“It should worry us that the EPA has found that over 70% of the water systems the agency has inspected since 2023 do not meet basic security practices,” said Rep. Zoe Lofgren, D-Calif., the ranking member of the full committee. “This lag is making our water systems ever more susceptible to threats from malicious hackers, as well as foreign adversaries,” she said, noting that recent bulletins from CISA and other agencies had identified incursions into water systems by hackers from China, Iran and Russia.
It isn’t realistic to expect small utilities to defend themselves against the threat from nation-state hackers, the panel heard.
“Most small utilities have no cybersecurity staff, no IT department and budgets are committed entirely to keeping critical services flowing,” explained Virginia Wright, manager of the cyber-informed engineering program at the Idaho National Laboratory. “When a cyberattack hits, they have no resources to deploy.”
The changing threat environment, with well-resourced and expert adversaries, mean “Cybersecurity alone is no longer enough,” Wright said.
INL had developed low-cost engineering tools that could limit the damage from even a successful hack, she said, holding up a soup-can sized widget called a time delay relay.
“It’s a simple, inexpensive engineering component. It introduces a deliberate pause before executing a command. It contains no software, and it cannot be hacked,” she said, explaining how it would prevent hackers who had taken over a system from overheating and destroying pumping equipment by repeatedly turning it off and then back on.
“Even with an adversary in full control, the relay buys enough time to run the system manually: The attack cannot cause its worst consequence.” She said cyber-informed engineering was about “engineering out the worst consequence of what an attacker, even a well-resourced attacker, can do.”
Perhaps the best resourced attacker currently cyber probing the U.S. water system is Volt Typhoon, a threat actor associated with the Chinese military, said Josh Corman, executive in residence for public safety and resilience at the Institute for Security and Technology and the co-founder of the non-profit UnDisruptable27.
The 27 in his organization’s name is a reference to U.S. intelligence reporting that Chinese President Xi Jinping has ordered his country’s military to be ready to seize Taiwan by 2027.
Volt Typhoon has pre-positioned on utilities that support U.S. military bases, he said. “The ability to degrade and delay our force mobilization, even a day or two, could allow them to complete their advance on Taiwan,” he noted. But more recent activity had been directed at “non-combatant civilian infrastructure, like the 10,000 person town in Littleton, Massachusetts, and the purpose of that [would be] to sow chaos in civilian infrastructure to undermine public support for our intervention,” in any China-Taiwan conflict.
“I get kind of angry when I think about this,” said Corman, “and I’m tired of wondering who’s going to hit us, when they’re going to hit us, how they’re going to hit us. I want to know what we’re going to do to fight back.”
He said UnDisruptable27 had “ruthlessly prioritized” and would focus its work on the 6,000 water systems that provided water for hospitals, and on preventing the cyberattacks with the worst consequences.
“So we may not keep them out, but we can keep the highest consequence failures from doing damage,” he said. “Now, I don’t like that answer, but that’s the answer for now.”
Witnesses told the subcommittee the burden of supporting those sector cybersecurity efforts on the ground, especially for smaller and rural water systems, is scattered unevenly around the government.
Funding and other support for water utilities’ cybersecurity efforts is “fragmented” across the EPA, the Cybersecurity and Infrastructure Security Agency and the Federal Emergency Management Agency, and in rural areas, the Department of Agriculture, too, explained Nicole Tisdale, a former White House cybersecurity official now in private practice. “That is a lot of agencies that we are asking small communities … to navigate,” she said.
Moreover, “the federal role in infrastructure security is changing,” said David Hinchman, director of IT and cybersecurity for the Government Accountability Office, Congress’ investigative arm. He said the Trump administration had declared it will “increasingly defer to state and local governments to take the lead in infrastructure protection, but has not yet provided details on this departure from the federal government’s historical role” (See: White House Shifting Cyber Risk to State and Local Agencies).
There are already important gaps in EPA authorities to set and enforce cyber standards, Hinchman added, “They don’t have authority over the owner operators they work with. They have to use the power of persuasion, education and collaboration to get things done.”
He said there were some creative fixes available. For example, EPA mandated owner operators to conduct risk assessments and prepare a resilience plan. “EPA can go on site to view those plans, but they’re not allowed by law to collect them themselves, to keep them in one repository where we could survey across the sector to get a sense for what the security is like across the country.” Industry insisted on that rule so the assessments and plan couldn’t be accessed under the Freedom of Information Act. But CISA, which could collect critical infrastructure information under a FOIA exemption, could create a national repository, he said.