Dec 16, 2023 - Technology

Cyberattacks against U.S. water supply inspire policymakers, system operators

Illustration of a poison symbol made of binary code, over water.

Illustration: Brendan Lynch/Axios

A wave of state-backed cyberattacks against U.S. water systems in the last month is bringing federal attention back to the digital challenges facing water utilities.

Driving the news: Late last month, an Iran-linked hacker group hacked a water authority in western Pennsylvania, along with a handful of other unidentified water utilities and critical infrastructure organizations.

Why it matters: While the attacks had seemingly no impact on water supplies, they sent a clear warning to policymakers and water utility operators to prioritize basic cyber hygiene.

  • Anne Neuberger, deputy national security adviser for cyber and emerging tech, told the Associated Press last week that the attacks should be a call to action for utilities.

The big picture: The U.S. water system is made up of 150,000 individual systems, and 93% of those serve fewer than 3,000 people, said Kevin Morley, manager of federal relations for the American Water Works Association, at an event in Washington this week.

  • The vast majority of water utilities are municipality-run entities, leaving them with little funding to hire cyber-specific staffs and provide basic employee cyber training.
  • Many water systems also operate on legacy systems that are tricky to upgrade or bring into the cloud, experts say.

Catch up quick: Even before the recent wave of cyberattacks targeting water systems, the Biden administration was facing difficulties regulating the sector's cybersecurity needs.

  • The Environmental Protection Agency attempted to require states to include basic cyber questions in already required sanitation inspections — but ultimately, the agency had to withdraw the rule due to a court challenge.

Between the lines: Despite the legal hurdles, policymakers and industry leaders still see a path forward for water utilities to quickly step up their cyber strategies, according to a report released Wednesday by Microsoft and the Cyberspace Solarium Commission 2.0 (CSC 2.0).

  • For one, water sector operators should conduct their own risk assessments and implement multifactor authentication on capability systems, the report notes.
  • State administrators can also allocate funds from existing pools, including those in the Drinking Water and Clean Water State Revolving Funds, to cybersecurity upgrades.
  • The recommendations are based on a series of roundtables hosted in late 2022 and 2023 with industry and government participants.

Details: The report's authors are also mobilizing to help small water and wastewater utilities tackle one of their biggest vulnerabilities: human behavior.

  • Over the next year, Microsoft, the Cyber Readiness Institute, and the Foundation for Defense of Democracies (FDD), which houses the CSC 2.0, will coach small water and wastewater utilities on basic cybersecurity and provide employee trainings.

What they're saying: "We're at a point where we're shifting towards more than just the 'what,'" Morley said at the event unveiling the report. "How do we get to there and enable them with the 'how' part? There are number of different paths we can get there."

Yes, but: Waiting for the EPA and other regulators to pass new regulations isn't an option, Tom Fanning, executive chairman of Southern Company, said during this week's event.

  • "We've always got to find a way to do better," Fanning said. "Given the urgency of the problem, what we got to do is move as fast as we can."
  • Fanning pointed out that water utilities, along with the rest of the private sector, need to "move with a sense of urgency" and start taking advantage of free cyber resources available to them.
Go deeper