Critical Infrastructure Security

Water Sector Leaders Urge Congress to Fund Cyber Mandates

The Water and Wastewater Sector Faces Growing Cybersecurity Risks, Officials Warn
Water Sector Leaders Urge Congress to Fund Cyber Mandates
Water, water everywhere, but a cybersecurity incident could change that. (Image: Shutterstock)

Small and rural water systems across the United States lack the funding and technical expertise to improve cybersecurity as the sector increasingly faces domestic and foreign threats, officials testified Wednesday.

See Also: Live Virtual Summit | Measuring Your Data's Risk & The Cost of Unpreparedness

The heads of several water and wastewater systems told the House Energy and Commerce Subcommittee on Environment, Manufacturing and Critical Materials that major disparities in resources are affecting the sector's ability to adequately identify and mitigate cyberthreats.

Rick Jeffares, president of the Georgia Rural Water Association, said state employees and local agencies "lack the resources and expertise to add cybersecurity enforcement to their workload."

"The reality is: Most rural utilities lack the financial resources and in-house expertise to defend themselves" from cyberattacks, Jeffares told lawmakers. The water sector workforce in Georgia is aging, and the average worker is 58 years old. "We anticipate the next generation of water operators will have a higher level of computer and cyber sophistication than I possess but in the meantime, we all need to continue learning to implement strong cybersecurity plans."

The Cybersecurity and Infrastructure Security Agency recently described the water sector as a "target-rich, resource-poor" industry due to the limited financial and technical resources available for many of the nation's more than 150,000 public water systems, particularly those in small and rural communities.

The Infrastructure Investment and Jobs Act of 2021 authorized $250 million over five years for an Environmental Protection Agency initiative that offers grant assistance to public water systems serving communities of 10,000 or more people to support projects aimed at reducing a water system’s cybersecurity risks.

But Congress has only appropriated $5 million for the program, according to Scott Dewhirst, superintendent and chief operating officer of Tacoma Water.

"Fully funding the program - or at least providing a level of appropriations closer to its annual $50 million authorization - would greatly expand the number of water systems that can tap these resources to improve their cyber defenses," Dewhirst told lawmakers.

Government watchdogs called on the federal government to better synchronize its efforts to improve water and wastewater cybersecurity efforts (see: US CISA Must Improve Water Sector Assistance, Says Watchdog). The U.S. cyber agency issued an incident response guide with the EPA and FBI earlier this month that urges water and wastewater systems owners and operators to develop organizational-level incident response plans and establish strong cybersecurity baseline standards.

"Cyber threat actors are aware of - and deliberately target - single points of failure," the guidance states. "A compromise or failure of a water and wastewater sector organization could cause cascading impacts throughout the sector and other critical infrastructure sectors" (see: New Guidance Urges US Water Sector to Boost Cyber Resilience).

The hearing follows a surge in cyberattacks targeting multiple U.S. water facilities in recent months, including an incident involving an Iranian hacking group known as Cyber Av3ngers, which targeted a small municipal water authority in Pennsylvania that was using Israeli-owned software in one of its facilities (see: Iranian Hacking Group Attacks Pennsylvania Water Authority).

"Smaller systems in our sector have significantly constrained budgets and must take into consideration new obligations to comply with multiple regulations," said Kevin Morley, manager of federal relations for the American Water Works Association. Morley said that water systems are already strained as they aim to comply with recently revised lead and copper rules and pending PFAS standards.

"Unlike other critical infrastructure sectors, to date, there has been no dedicated funding to expedite technology upgrades at water systems," Morley said. "If the water sector is truly a national security priority, then we will need support to expedite these technology upgrades, address this digital chasm in a manner that is not punitive, and fulfill our shared commitment to the communities we serve."

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.