Microsoft, Cyberspace Solarium Commission propose measures to strengthen water sector cybersecurity

Microsoft and the Cyberspace Solarium Commission (CSC) 2.0 recently published a report addressing the cybersecurity gaps in the water and wastewater systems sector. It identified that the vulnerability and the criticality of water and wastewater systems make them prominent targets for profit-seeking cyber criminals and geopolitical rivals exploiting a new domain of conflict, thus requiring robust communication and cooperation across the public and private sectors at every level.

To support this multi-stakeholder engagement, Microsoft and CSC 2.0 jointly hosted a series of roundtable discussions late last year and in 2023 on cybersecurity in the water and wastewater sector. Over four virtual gatherings, experts from federal agencies and U.S. Congress, as well as from across the water and technology sectors, joined in discussions around threats to the sector; standards, best practices, and emerging regulations to reduce cyber risk; international obligations to protect the water sector from cyberattacks’ and how to build cyber resilience across the sector. 

Titled ‘Multistakeholder Insights to Advance Water and Wastewater Infrastructure Cybersecurity,’ the report identified a picture of a sector challenged by gaps in cybersecurity risk management alongside a severe lack of resources to address them. 

To federal and state legislators, the report recommends resourcing the U.S. Environmental Protection Agency (EPA) as addressing the cybersecurity and resilience needs of water critical infrastructure requires national coordination and investment. The administration needs to request, and Congress needs to support, sufficient funding for EPA to fulfill its obligations as the sector risk management agency for the water and wastewater sector. 

Additionally, it recommends expanding successful programs that go beyond the EPA and encompass other federal agencies such as the Department of Agriculture. These agencies already have programs in place that promote the resiliency of the water and wastewater sector. Therefore, Congress should take the initiative to broaden these programs and provide comprehensive cybersecurity support to the sector. 

It is also recommended to utilize state-level funding mechanisms. State administrators should take advantage of funding streams such as the Drinking Water and Clean Water State Revolving Funds. These funds can be used to develop and allocate resources for comprehensive policies aimed at enhancing cybersecurity in the water and wastewater sector.

The report called upon federal agencies to enhance collaboration with sector stakeholders in addressing cybersecurity requirements. Instead of relying solely on regulatory measures, the federal government should engage with sector stakeholders to establish a collaborative public-private oversight program. The program will play a crucial role in enhancing the reliability and security of the sector. Furthermore, it should facilitate the development of industry-led cybersecurity requirements specific to the sector.

It is also suggested to fund public-private research on water system industrial control system (ICS) security. The water and wastewater sector has historically been underinvested in cybersecurity, resulting in limited research on cybersecurity for operational technology systems. To address this, the federal government, potentially in collaboration with industry groups, should provide funding for a test bed dedicated to cyber-physical security research on industrial control systems and operational technology in the water sector.

The report recommends strengthening international norms to discourage state-sponsored attacks on the water sector. It emphasizes the importance of explicitly mentioning violations of international laws or norms in public attributions of cyber incidents, particularly when critical infrastructure is targeted. It also recognizes ‘due diligence’ as a legal obligation. 

The administration should join with several partner countries that have already recognized that this principle extends to cyberattacks as well, especially when such attacks target critical infrastructure like water systems. This would encourage governments to take responsibility for malicious activity within their borders. 

The first roundtable in the series focused on understanding the nature of cyber risk and the threats to U.S. water and wastewater infrastructure, and why it faces such acute challenges in managing cyber risk. In addition to Microsoft and CSC 2.0 experts, this roundtable featured speakers from Congress, the Office of the National Cyber Director, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Water Sector Coordinating Council, and a large, regulated water and wastewater utility.

The second roundtable addressed emerging regulations aimed at improving the cybersecurity of water and wastewater infrastructure, as well as how the sector is already using standards and best practices and how these latter two can help both regulated and non-regulated utilities improve their cybersecurity. This roundtable featured speakers from the EPA, the National Institute of Standards and Technology (NIST), the Water ISAC, the Association of Metropolitan Water Agencies, and national security think tanks. 

The third roundtable focused specifically on nation-state attacks and international obligations to protect the water sector from these most sophisticated threat actors. This roundtable featured speakers from Microsoft, CSC 2.0, Congress, academia, and U.S. and international think tanks, as well as former government officials. 

Experts at the roundtable noted that states have a responsibility to refrain from targeting critical infrastructure, including water systems, via cyberattacks, both ethically and under international law. And yet, state-sponsored cyber operations have targeted water infrastructure, including most recently during Russia’s war against Ukraine. Experts noted that it is not unreasonable to expect similar attacks targeting critical infrastructure in the U.S. in the future.

The final roundtable in the series explored building cyber resilience across the water and wastewater sectors. This roundtable featured speakers from Microsoft, CSC 2.0, the EPA, the Water ISAC, and the American Water Works Association (AWWA).

Experts noted that building cyber resilience in the water sector requires a comprehensive approach that begins with conducting a cybersecurity risk assessment. Various risk assessment tools tailored to the sector’s diverse needs are available, such as the sector-specific tool developed by AWWA based on the NIST framework. The EPA has also developed tools to assist in this process. 

In addition to the above principles, speakers offered specific, actionable steps operators should take to improve their cybersecurity posture and operational resilience. These include asset inventory and assessments, training staff, maintaining a data management profile, protecting systems from unauthorized access, and implementing secure network design. 

The report also identified that while a risk assessment provides insights into necessary measures, addressing cyber risks can be costly. “Large water utilities may need to invest tens of millions of dollars to overhaul their operational technology systems. Meanwhile, smaller utilities may not have the funds to make the necessary upgrades.”

“Improving cyber maturity and resilience across the water sector will depend on multistakeholder cooperation across industry, civil society, and at every level of government,” Kaja Ciglic, senior director for digital diplomacy at Microsoft, wrote in a company blog post. “The report breaks down its key recommendations by stakeholder group, with specific guidance for legislatures (state and federal), agencies, regulators, and sector operators, in order to drive comprehensive understanding of what is needed for reform.”

To further help small- and medium-sized water utilities strengthen their cybersecurity defenses, Microsoft, the Cyber Readiness Institute (CRI), and the Foundation for Defense of Democracies (FDD) have launched a cybersecurity pilot program to provide tailored cyber readiness coaching to water utilities and training for their employees. Registration is still open to eligible utilities that would like to participate. The data and lessons from the pilot program will further help to inform critical infrastructure cybersecurity policy and the development of similar efforts in the sector. 

In conclusion, the report identified that the significance of water systems extends far beyond their immediate impact on drinking water and sanitation, affecting numerous critical sectors reliant on safe and reliable access to water. “Disruptions to water functions have cascading effects on agriculture, food production, healthcare, emergency services, and other critical infrastructure sectors. These interdependencies, combined with the distributed ownership and operation of water infrastructure across nearly 100,000 entities, demand a collaborative approach to cybersecurity, bringing together government and sector expertise and resources,” it added. 

Furthermore, the spirit in which speakers and participants shared their analysis, ideas, and recommendations during the Microsoft-CSC 2.0 roundtable series serves as a model for the public-private collaboration needed to protect this most vital critical infrastructure sector. 

In September, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), developed in coordination with the Environmental Protection Agency (EPA), Water Sector Coordinating Council (WSCC), and the Association of State Drinking Water Administrators (ASDWA), a free cyber vulnerability scanning for water utilities fact sheet. The document explains the process and benefits of signing up for CISA’s free vulnerability scanning program, intending to share the benefits and steps to enrolling in the vulnerability scanning service.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.