Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
System Design & Architecture
The Skills Gap - Training & Development
Threat Landscape
Utilities: Energy & Power, Water, Waste
Vulnerabilities

US House Energy Subcommittee holds hearing on safeguarding drinking water infrastructure from cyberattacks

February 02, 2024
US House Energy Subcommittee holds hearing on safeguarding drinking water infrastructure from cyberattacks

The U.S. House Energy and Commerce Environment, Manufacturing, and Critical Materials Subcommittee conducted a hearing this week on safeguarding the nation’s drinking water infrastructure from cyberattacks. The latest hearing comes as a follow-up to last year’s May hearing held by the Subcommittee on Oversight and Investigations, at which the U.S. Environmental Protection Agency (EPA) testified. 

The committee hearing comes in the wake of water infrastructure and its systems becoming increasingly vulnerable to cyberattacks by adversaries and other bad hackers wishing to do harm, underscoring the need for strengthening their cybersecurity. It also provided an opportunity to discuss with experts and stakeholders how best to protect this key infrastructure from rising attacks and work toward mitigating future risks.

The witnesses at the subcommittee hearing were Cathy Tucker-Vogel, Public Water Supply Section Chief, Kansas Department of Health and Environment on behalf of the Association of State Drinking Water Administrators; Scott Dewhirst, superintendent and chief operating officer at Tacoma Water on behalf of the Association of Metropolitan Water Agencies; Rick Jeffares, president at the Georgia Rural Water Association on behalf of the National Rural Water Association; and Kevin Morley, manager for federal relations at the American Water Works Association.

Subcommittee Chair Buddy Carter, a Republican from Georgia, identified in his opening remarks that China, Russia, Iran, and their proxies are constantly looking for ways to disrupt our critical infrastructure. Recent cybersecurity attacks on the water sector by Iranian hackers reminded us of this. Luckily, these attacks did not impact the safety of our water supplies. However, we cannot be complacent and hope for fortunate outcomes in the future.” 

Carter added that “we must learn from these attacks and enhance the cybersecurity of our water sector assets.”

He also pointed out that “the water sector frequently operates on legacy technology systems, and small systems regularly lack the financial resources to hire cybersecurity staff. Water utilities are also facing generational challenges.”

“Rather than responding to these cybersecurity threats with one-size-fits-all regulatory standards that are costly and require and assume a level of technological sophistication to operate and maintain,” according to Carter. “We must focus on ways to increase cybersecurity collaboration within the water sector and opportunities for the Environmental Protection Agency and Department of Homeland Security to work jointly with these systems to achieve higher levels of cybersecurity. Cyber threats are not disappearing, and no amount of regulation, resources, or technical expertise can fully remove the threat,” he added.

Senator Cathy McMorris Rodgers, a Republican from Washington, outlined in her opening statement that the cybersecurity risks to these systems are expected to become increasingly frequent and complex. “From ransomware threats, where a bad actor’s attack compromises internal, administrative information, like customers’ personal information, to criminals potentially gaining control of a drinking water system in order to compromise the quality of the water being sent out to customers. The implications of these attacks go far beyond our water systems,” she added.

She pointed out that current law mandates that, every five years, drinking water systems serving more than 3,330 people assess their vulnerabilities to attacks, and that they incorporate the findings of these assessments into their emergency response plans.

“This ensures water facility operators are better prepared to mitigate threats, while also protecting them from cumbersome and ill-suited regulations that could hinder their ability to quickly respond when threats do arise,” according to Rodgers. “While there is always room for improvement, granting the federal government sweeping cybersecurity authorities over this sector—as some have suggested—will do more harm than good.”

In her witness testimony, Tucker-Vogel highlighted that asset management programs could be modified to include cybersecurity since OT (operational technology) and IT  assets warrant continual upgrades and maintenance like pumps, pipes, and valves. “States that have training requirements for governing boards could be updated to include cybersecurity. Appropriately training system operators on cybersecurity should be added to operator certification programs. Cybersecurity awareness should be added to technical, managerial, and financial (TMF) capacity for water systems.”

Another potential solution Tucker-Vogel flagged is a coordinated outreach campaign by all organizations on the Water Sector Coordinating Council (WSCC) and the Government Coordinating Council (GCC) to raise the cybersecurity profile, by emphasizing the starting point of appropriate network monitoring so that the sector can better understand which systems are vulnerable and which are not. “Every potential communication channel should be used to advertise the existing cybersecurity tools and resources. The appropriate tools and resources exist, and more outreach is needed to increase the use of the tools and resources across the water sector,” she added. 

AMWA’s Dewhirst wrote in his testimony that as the subcommittee contemplates the best approach for the water sector, it is critical to include stakeholders at the table. “Any path forward should reflect a tiered, risk-based approach, guided by water sector experts, and focused on clear objectives rather than prescriptive, one-size-fits-all mandates. Aspects of appropriate standards or guidelines in place for the electric and other critical infrastructure sectors should be considered as models for similarly situated water systems.” 

He added that the AMWA would welcome the opportunity to participate in any discussions with the subcommittee to pursue these or other strategies to build waste and drinking water systems’ resilience to cyber threats.

Jeffares suggested in his written testimony that a path forward must include working with the water sector in a good faith effort to achieve practical safeguards and solutions; any additional or existing technical assistance provided by Congress through EPA to address this issue should be carefully drafted to ensure anticipated outcomes are feasible, including requiring third-party non-profits that are selected for funding have qualified and experienced personnel that possess cyber expertise, combined with practical knowledge of water systems operations; and lastly, that cybersecurity of water infrastructure must be a shared responsibility. 

In his written statement, Morley wrote that strong oversight of cybersecurity in the water sector remains critical. “There have been and will continue to be serious attempts to attack water systems. AWWA, CISA, EPA, and others have developed resources to help utilities assess vulnerabilities and implement cybersecurity best practices,” he added.  

In addition to establishing a sound oversight model, it is critical to recognize the challenges and opportunities for enhancing cybersecurity in the water sector. Functionally, Morley wrote that “we see the following areas of collaboration as being the most essential -Overcoming the Digital Divide, Threat Information Sharing, Vulnerability Mitigation and Technical Assistance.”

Unlike other critical infrastructure sectors, to date, there has been no dedicated funding to expedite technology upgrades at water systems, according to Morley. “Cybersecurity is one of many eligible activities within the State Revolving Fund (SRF) program, but constraints on that program may not allow utilities to acquire the optimal cybersecurity support they need. If the water sector is truly a national security priority, then we will need support to expedite these technology upgrades, address this digital chasm in a manner that is not punitive, and fulfill our shared commitment to the communities we serve.” 

He added that the U.S. Congress has allocated resources to the State and Local Cybersecurity Grant Program (SLCGP) which could potentially address challenges facing water utilities, but it appears too early to assess how the funds are being allocated at the local level. “We also encourage full appropriations for the grant programs authorized in America’s Water Infrastructure Act (AWIA) of 2018 to support water utility resilience with an emphasis on cybersecurity projects,” he added. 

This week, the Select Committee on the Chinese Communist Party (CCP) conducted a hearing to address the CCP’s threat to the American homeland. The objective of this move is to increase awareness and emphasize the risks associated with nation-state hackers who possess the ability to inflict significant damage and real-world harm on Americans. These actors achieve this by launching destructive cyber attacks that specifically target U.S. critical infrastructure and supply chains.

Last month, Veolia North America’s Municipal Water division reportedly experienced a ransomware incident that has impacted certain software applications and systems. In response, the company’s IT and security incident response teams have swiftly mobilized and are actively collaborating with law enforcement and other third parties to investigate and resolve the incident.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation