Water Utility Cybersecurity is Under Water
The development of best-in-class water utility cybersecurity protocols are lagging behind other utility sectors such as gas and electric. Although larger water purveyors are relatively well-positioned to combat system hacking, most of the country’s approximate 70,000 water and wastewater utilities are ill-equipped to handle an attack.
The decentralized, fragmented nature of the industry presents challenges when it comes to the implementation of industry-standard best practices. Small water companies simply do not have the bandwidth to adequately address the risk. That said, improvements are happening, albeit at a snail’s pace.
How Water Utility Cybersecurity is Evolving
Water utility cybersecurity often plays second fiddle to the power sector in the press, yet the risks are just as great. A hacker who gains control of a water utility’s network could release poisonous chemicals into the system, cross pollinate water and wastewater infrastructure leading to mass illness, or compromise valves and other parts of the physical infrastructure, just to name a few. In fact, a report from 2018 identified 63 cyber vulnerabilities in the water sector, accounting for a whopping 15% of all industrial security problems identified.
The good news is that the sector is beginning to realize the precarious nature of where it currently stands and is making strides to share information and best practices:
- In 2018, America’s Water Infrastructure Act of 2018 was signed into law by President Trump, and it requires any water utility servicing more than 3,300 customers to have cybersecurity plans and protocols in place.
- Some states are passing new water utility cybersecurity regulations. New Jersey, for example, passed the Water Quality Accountability Act in 2017, which requires any water utility with more than 500 connections to develop and submit a cybersecurity program, provide relevant training, and report any threats. New York is also ahead of the curve, conducting annual reviews of the state’s water utility cyber plans.
- The Water Information and Sharing Analysis Center (ISAC), created in 2002, is planning to partner with the power sector’s ISAC, which will accelerate knowledge-building because electric and water utilities use similar control systems and equipment and are subject to similar cyber risks.
- Water industry groups like the AWWA are developing cybersecurity tools and resources.
In the final analysis, water utility cybersecurity is as important as it is in the power sector, and now – finally – industry and regulatory players are coming to grips with this cold, hard truth.