Do you remember the last time you didn’t have water? Reliable water delivery is something many of us take for granted. Our local water treatment plant sits at the edge of our neighborhood, and I pass it every day on my way to take the kids to school. Not a lot seems to go on there, so it never occurred to me that I should be concerned about an attack on this critical infrastructure. What does occur to me is the possibility of a cyberattack on our water system. In my role as the State and Local Practice Manager, I’m painfully aware of what a cyberattack can do to our critical government services.
I'm not the only one who's concerned. A recent Enforcement Alert from the EPA highlighted multiple nation-state cyberattacks on US Community Water Systems (CWSs). The alert also reminds CWS providers of their responsibilities under Section 1433 of the Safe Drinking Water Act (SDWA), which "requires all CWSs serving more than 3,300 people to conduct Risk and Resilience Assessments (RRAs), develop Emergency Response Plans (ERPs), and certify their completion to EPA."
A 2023 EPA audit discovered that a staggering 70% of CWSs are in violation of Section 1433 requirements. Additionally, EPA inspectors "identified alarming cybersecurity vulnerabilities at drinking water systems across the country... For example, some water systems failed to change default passwords, use single logins for all staff, or failed to curtail access by former employees."
Why should we care? Because the impact of a cyberattack on a CWS could be catastrophic. The EPA cites possible ramifications such as “disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.” In the past year,we’ve already had two attacks on water systems in northwestern Pennsylvania and north Texas.
Though the situation may seem dire, there is good news: The federal government is offering a lifeline to local governments in the form of the Homeland Security Grant Program (HSGP). The HSGP is an annual grant program that allocates funding to state, local, tribal, and territorial (SLTT) governments to help prevent, prepare for, and recover from terrorist attacks. Although this grant program has been around about as long as the Department of Homeland Security, it has recently been updated to include cybersecurity funding.
This additional pot of money can support our underfunded and understaffed government cyber workforce, and our state governments would be wise to take advantage of it. Grant applications are due to FEMA this June, and I urge our state leaders to submit projects for National Priority Area No. 4 - Cybersecurity: “Cybersecurity investments must support the security and functioning of critical infrastructure and core capabilities as they relate to preventing, preparing for, protecting against, or responding to acts of terrorism…” Both the HSGP and the EPA point to the Cybersecurity & Infrastructure Security Agency (CISA) Cross-Sector Cybersecurity Performance Goals as common guidance for water systems, including implementing data security protections (“System Backups”). This alignment should make it easy to get funding approved.
It’s not just about detection and prevention; CWSs and other critical infrastructure providers must be able to recover from cyberattacks. Funding exists for them to procure air-gapped, immutable, and access-controlled backups that can be tested and proven before the inevitable happens. Because cybersecurity is like water—every drop counts.
Find out more at https://www.rubrik.com/industries/critical-infrastructure.