How federal funding, guidance can protect the water supply
Todd Helfrich, vice president of federal for Censys, explains why CISA and other agencies should play a larger role in protecting critical infrastructure.
After a series of troubling cyberattacks on U.S. water systems, the Environmental Protection Agency recently issued an enforcement alert to water system operators requesting they take action to ensure the security of the country’s water supply. The alert encourages operators to apply some basic but critical protective measures.
This isn’t the first time the federal government has focused its attention on this ongoing challenge.
Following the cyberattack on the Municipal Water Authority of Aliquippa, Pennsylvania, the federal government has renewed its focus on ensuring the security of the water and wastewater (WWS) sector of the country’s critical infrastructure, and recently issued a warning to water system operators regarding an uptick in attacks against those systems by pro-Russia hacktivists. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released new guidance on the actions that WWS entities should take to improve the resilience of their networks to cyberattacks as well as an incident response guide for the sector. Further proving the government’s renewed focus, in February 2024, the White House also issued an executive order to bolster the maritime sector further and upgrade security requirements for the nation’s ports.
Recent studies show that the vulnerabilities that permitted the Aliquippa attack are far from unique. In fact, Censys identified vulnerable and exposed Unitronics programmable logic controllers (the type of devices targeted in the Aliquippa attack) associated with water, wastewater and energy systems in the U.S. and found a total of 149 internet-exposed devices and services.
Unfortunately, there is a plethora of these vulnerable systems nationally, with the entire infrastructure lacking security controls. More often than not, the operators of these systems are focused on operational technology (OT) and lack the necessary cybersecurity skills to address the challenges that today’s bad actors present. Although the federal government offers limited oversight and grants to help, water authority organizations reside in municipal governments where funding for cybersecurity resources can be a major issue.
CISA’s recent guidance presents a significant step in the right direction, with common-sense recommendations that can help water authorities protect themselves. And while many of the recommendations might sound relatively simple, they address extremely complex problems that will be difficult to surmount.
For example, take the first recommendation in the CISA guidance: Reduce exposure to the public-facing internet.
CISA rightfully notes that the controllers and remote terminal units deployed in waterworks make easy targets when connected to the internet. It may sound like an easy fix to remove such devices from internet access, but the vulnerability may be due to compromised external systems that are connected to the water authority. For example, these systems may be associated with water towers or even gas stations and car washes that interact with the water authority via the internet. Consequently, all these connections must be managed and monitored – an extremely complex and arduous task.
Adding to the difficulty of this endeavor, municipal water authorities often lack the resources and staff to enact the recommendations in the EPA’s alert. Many are underfunded and have not traditionally prioritized cybersecurity as a critical aspect of their mission.
Consequently, we need a “whole of government” approach in which a federal agency like CISA can play an essential role. CISA and the Environmental Protection Agency – the agency designated by the White House to ensure that the water sector is prepared for any hazard, including cyber risks – are well positioned to lead a systematic process to support critical infrastructure organizations and operators that don’t have the funding, technical skill sets or acumen and guide them down the path as a partner to help solve these problems. Such an approach should begin with a few basic steps on the part of the federal government and water authorities:
Conduct an internal asset inventory. CISA and EPA can help leaders at municipal water authorities determine what systems, devices and data exist in their environment, both internally and externally. However, this should extend beyond a simple inventory. It must also include an understanding of the criticality of each of those systems relative to the organization’s ability to achieve its mission. The EPA’s Water Sector Cybersecurity Technical Assistance Provider Program trains state and regional water sector technical assistance providers who can assist with this assessment. The EPA also offers a Cybersecurity Incident Action Checklist specifically geared to helping water utilities prepare for, respond to and recover from cyberattacks.
Identify and monitor assets external to the organization’s domains. This includes looking at supply chains to understand potential vulnerabilities related to business partners, a step almost as important as understanding the inventory of the organization’s own assets. Most organizations have a good understanding of their internal assets but often don’t have a good handle on risks associated with external assets that the organization reacts with – which is how adversaries usually get into the environment. An unclear understanding of those external assets – especially internet-connected IT and OT systems – makes it extremely easy for the bad guys.
Continue to provide funding and grants to municipalities working to address critical infrastructure security issues. Congress and DHS should continue to provide funding that will help these organizations train their IT and OT workforce in cybersecurity, hire people with the skill sets they need and generally help these organizations to modernize their infrastructure. This funding should be contingent on supporting policies that will help facilitate training, modernization and closing the pay and skills gaps within municipalities that are specific to the water and wastewater issue.
On the other side of the equation, water systems operators should not hesitate to request help. CISA and EPA offer assistance to organizations upon request, so operators should take the initiative to proactively contact the EPA or their organization’s regional cybersecurity advisor at CISA.
There have been recent signs of progress. Reps. Rick Crawford (R-Ark.) and John Duarte (R-Calif.) are promoting a bill to create a government office to develop cybersecurity rules for water systems, with the EPA acting as an enforcer, as they already are the sector risk management agency. Also, EPA and White House officials in March asked a group of governors to develop plans for dealing with major cybersecurity risks facing their state’s water and wastewater systems, according to a report from The Wall Street Journal.
Finally, we need to view addressing this issue as a marathon, not a sprint, to beat the hackers. Our adversaries are continuously looking to poke holes in our defense, and it is mandatory that we do the same in order to keep them out – now and in the future. We must not lose sight of the stakes involved; our country’s national security may depend on it.
Todd Helfrich is the vice president of federal for Censys.
How federal funding, guidance can protect the water supply
Todd Helfrich, vice president of federal for Censys, explains why CISA and other agencies should play a larger role in protecting critical infrastructure.
After a series of troubling cyberattacks on U.S. water systems, the Environmental Protection Agency recently issued an enforcement alert to water system operators requesting they take action to ensure the security of the country’s water supply. The alert encourages operators to apply some basic but critical protective measures.
This isn’t the first time the federal government has focused its attention on this ongoing challenge.
Following the cyberattack on the Municipal Water Authority of Aliquippa, Pennsylvania, the federal government has renewed its focus on ensuring the security of the water and wastewater (WWS) sector of the country’s critical infrastructure, and recently issued a warning to water system operators regarding an uptick in attacks against those systems by pro-Russia hacktivists. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released new guidance on the actions that WWS entities should take to improve the resilience of their networks to cyberattacks as well as an incident response guide for the sector. Further proving the government’s renewed focus, in February 2024, the White House also issued an executive order to bolster the maritime sector further and upgrade security requirements for the nation’s ports.
Recent studies show that the vulnerabilities that permitted the Aliquippa attack are far from unique. In fact, Censys identified vulnerable and exposed Unitronics programmable logic controllers (the type of devices targeted in the Aliquippa attack) associated with water, wastewater and energy systems in the U.S. and found a total of 149 internet-exposed devices and services.
Join us on Oct. 1 and 2 for Federal News Network's Cyber Leader Exchange where we'll dive into how agencies are strengthening federal cyber capabilities.
Unfortunately, there is a plethora of these vulnerable systems nationally, with the entire infrastructure lacking security controls. More often than not, the operators of these systems are focused on operational technology (OT) and lack the necessary cybersecurity skills to address the challenges that today’s bad actors present. Although the federal government offers limited oversight and grants to help, water authority organizations reside in municipal governments where funding for cybersecurity resources can be a major issue.
CISA’s recent guidance presents a significant step in the right direction, with common-sense recommendations that can help water authorities protect themselves. And while many of the recommendations might sound relatively simple, they address extremely complex problems that will be difficult to surmount.
For example, take the first recommendation in the CISA guidance: Reduce exposure to the public-facing internet.
CISA rightfully notes that the controllers and remote terminal units deployed in waterworks make easy targets when connected to the internet. It may sound like an easy fix to remove such devices from internet access, but the vulnerability may be due to compromised external systems that are connected to the water authority. For example, these systems may be associated with water towers or even gas stations and car washes that interact with the water authority via the internet. Consequently, all these connections must be managed and monitored – an extremely complex and arduous task.
Adding to the difficulty of this endeavor, municipal water authorities often lack the resources and staff to enact the recommendations in the EPA’s alert. Many are underfunded and have not traditionally prioritized cybersecurity as a critical aspect of their mission.
Consequently, we need a “whole of government” approach in which a federal agency like CISA can play an essential role. CISA and the Environmental Protection Agency – the agency designated by the White House to ensure that the water sector is prepared for any hazard, including cyber risks – are well positioned to lead a systematic process to support critical infrastructure organizations and operators that don’t have the funding, technical skill sets or acumen and guide them down the path as a partner to help solve these problems. Such an approach should begin with a few basic steps on the part of the federal government and water authorities:
On the other side of the equation, water systems operators should not hesitate to request help. CISA and EPA offer assistance to organizations upon request, so operators should take the initiative to proactively contact the EPA or their organization’s regional cybersecurity advisor at CISA.
There have been recent signs of progress. Reps. Rick Crawford (R-Ark.) and John Duarte (R-Calif.) are promoting a bill to create a government office to develop cybersecurity rules for water systems, with the EPA acting as an enforcer, as they already are the sector risk management agency. Also, EPA and White House officials in March asked a group of governors to develop plans for dealing with major cybersecurity risks facing their state’s water and wastewater systems, according to a report from The Wall Street Journal.
Read more: Commentary
Finally, we need to view addressing this issue as a marathon, not a sprint, to beat the hackers. Our adversaries are continuously looking to poke holes in our defense, and it is mandatory that we do the same in order to keep them out – now and in the future. We must not lose sight of the stakes involved; our country’s national security may depend on it.
Todd Helfrich is the vice president of federal for Censys.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
Safeguarding critical infrastructure: Addressing threats to the water sector
US says cyberattacks against water supplies are rising, and utilities need to do more to stop them
With critical infrastructure being targeted, Biden admin considers next steps for water sector