The water sector is watching closely as the federal government moves forward on plans to bolster cybersecurity at private and public entities.
Federal cybersecurity legislation won the approval of a key Senate panel on Tuesday. The bill would formally give the National Institute of Standards and Technology (NIST) the authority to create voluntary cybersecurity guidelines, an undertaking it has already begun.
Water interests have weighed in heavily on the development of NIST’s cybersecurity framework. Earlier this year, the agency collected comments on how to improve cybersecurity for critical infrastructure, and various water stakeholders voiced their views.
The Association of Metropolitan Water Agencies (AWMA) pointed out that “built-in resiliencies” already exist in water systems. "Many utilities rely on industrial control systems to operate monitoring, reservoirs, raw water intake, treatment, and finished water distribution infrastructure,” the group said. “Somewhat unique to the water sector is that while these systems may be highly automated, the infrastructure can be operated manually in the event of an incident. This prevents prolonged inoperability so that safe water continues to flow.”
AWMA said regulators should prioritize affordability as they draw up suggestions, noting cost challenges in the water sector. “Water and wastewater systems face billions of dollars in costs to replace and rehabilitate aging infrastructure, not to mention increasing regulatory compliance costs,” the group said. “No utility is immune from such challenges, nor from intense pressure against increasing rates. So we urge NIST to take these factors into account.”
The Water Environment Federation (WEF) said guidelines should be “voluntary, cost-effective, and nonburdensome.” It acknowledged that more work is needed to ensure cybersecurity in the water sector. “Steps must be taken to enhance existing efforts to increase the protection and resilience of water sector infrastructure, including the maintenance of a cyber-environment that encourages efficiency, innovation, and economic prosperity, while protecting privacy and civil liberties,” WEF’s comments said.
The National Rural Water Association (NRWA) encouraged collaboration with local stakeholders so that the guidelines enhance “local security based on local risks.” The group said “only local experts can identify the most vulnerable elements in the community and detect immediate threats.”
The water industry has faced various cybersecurity attacks in the past. In 2006, a foreign hacker breached security at a water filtering plant near Harrisburg, PA. “The hacker tried to covertly use the computer system as its own distribution system for emails or pirated software,” ABC News reported.
Special Agent Jerri Williams of the FBI’s Philadelphia field office reportedly said that the computer under attack controlled a key system, “and if, for some reason, [the attack] caused it to fail, it would have disrupted service."
Another high-profile attack came a year later, when "a former employee of a canal authority in Northern California was charged with damaging the computer used to divert river water to farmers’ fields," according to a report by Rockwell Automation.
Cybersecurity incidents in the water sector are on the rise. The Repository of Industrial Security Incidents (RISI) reported a 300 percent increase in reported events between 2004 and 2009.
For in-depth cybersecurity coverage from Water Online, check out this magazine article.