April 14, 2021

Written by Robert F. Powelson, President & CEO of National Association of Water Companies

Robert F. Powelson, President & CEO, National Association of Water Companies (NAWC)

Oldsmar, Florida, made headlines earlier this year.  A hacker gained access to the county utility’s water treatment control systems and dramatically raised the amount of certain chemicals in the drinking water to dangerous levels. Fortunately, the hacker’s attempt was foiled before the water supply was effectively poisoned. This alarming cyber breach speaks to a larger issue that is looming out there around overall cyber protection of our water grid.

As a former Commissioner on the Federal Energy Regulatory Commission and in my current role as the President and CEO of the National Association of Water Companies (NAWC), I’ve seen firsthand how the threats that cyber criminals pose have evolved and intensified as technology has continued to expand capabilities and advance the interconnectedness of critical infrastructure across the globe.

The truth of the matter is, Oldsmar won’t be the last water system to come under cyberattack and the consequences could be far more devastating for the next water system that is targeted. Now more than ever, we have to ensure the general public that our security strategies are constantly evolving to meet the threat vectors that are on the horizon.

Understanding the Threat

By now, we know all too well that hostile nation-states and state-sponsored terrorists remain vigilant in their monitoring for weaknesses among U.S. critical infrastructure. In fact, the threats facing water utilities are so pervasive it’s led analysts and intelligence agencies to all but guarantee that water utilities will experience an attempted hack. In practice, that means that all drinking water systems, whether government-run like the system in Oldsmar or privately owned and operated by water companies like the member companies that NAWC represents, share the undeniable need for robust cybersecurity oversight.

Strengthening Our Water Sector Through Restructured Cybersecurity Oversight

Unfortunately, when it comes to the water sector, the current approach to cybersecurity oversight is ineffective in that it lacks a consistent set of preparedness requirements. Our current system allows cybercrime preparedness to vary from system to system, presenting a real threat to our national security. In order to better protect against future attacks on our water grid, we need to act now to revamp the cybersecurity oversight model.

Cybersecurity for critical infrastructure like our water and electricity grids poses unique coordination challenges across multiple agencies and levels of government, as well as among a wide variety of public and private sector utility operators.

However, while electric utilities have invested heavily in security for decades (according to the Edison Electric Institute, the sector spent $67 billion on grid security last year) and worked to establish effective and enforceable security requirements, cybersecurity for our water grid remains dangerously disjointed and uncoordinated.

Currently, all water systems voluntarily self-report their cyber protection protocols to the Environmental Protection Agency (EPA), the designated sector-specific agency tasked with overseeing cybersecurity. Through the EPA and the Water Information Sharing and Analysis Center (Water ISAC), water system operators participate in a “collaborative information exchange” around cyber and physical security.

In its current form, the water sector’s non-compulsory reporting and compliance model is ineffective in ensuring water system operators are exercising adequate precaution and taking the steps necessary to ensure cyber safety. 

However, there are several steps we should take to make sure all water providers are up to the serious job of protecting public health and our water supplies from cyber threats.

• Shift Oversight from Environmental Protection Agency to Department of Homeland Security

We need to ensure that water system data related to cyber and physical security is being directly shared with the federal agency best equipped to process and evaluate cybersecurity threats – the Department of Homeland Security (DHS). Changing the cyber security data collection protocol so that water system operators report to DHS instead of the EPA would be a meaningful first step in the right direction.

• Establish Federal Cybersecurity Compliance Standards and Compulsory Compliance

At the state level, New Jersey and Indiana have worked to address water security through Water Quality Accountability laws that require all public and private water system operators to file cyber and physical security plans with their state public utility commissions. While these commonsense requirements are beneficial, strong federal oversight and guidance are still critical to protect our drinking water against attacks.

We need a more robust and enforceable compliance regimen that requires all water utilities to adhere to rigorous security benchmarks that reflect the serious cyber threats we face. Simply providing more funding will not solve our security challenges. We need federal authorities to provide comprehensive guidance and enforce strict cybersecurity standards for all water utilities.

• Recognize Water System Safety as a National Security Imperative

The robust cybersecurity function of the electricity sector developed over several decades can provide a playbook for how to make the water grid more secure. For example, the sector’s Electric Sector Coordinating Council (ESCC) serves as a prime example of how industry leaders and the federal government can coordinate activities and enforce cyber preparedness.

Ultimately, the only way to ensure access to safe water is treated as the national security imperative it is, is to apply the same level of investment and regulation as our nation’s other critical infrastructure.

At the end of the day, we have to remember that water is the only utility that we ingest. And in an increasingly interconnected world, cyber security is now as critical as the security of physical infrastructure in ensuring our water is safe. Unless we invest in hardening our water supply against cybersecurity breaches, we can expect that events like the hack in Oldsmar will continue to present themselves with increasingly devastating consequences.

Robert F. Powelson is President & CEO National Association of Water Companies (NAWC) and a former Federal Energy Regulatory Commissioner (FERC). Mr Powelson was the 2019 recipient of the FRI Crystal Award for Distinguished Contribution. POV pieces are the opinion of the author and do not necessarily reflect an official position of FRI or the University of Missouri.