Federal lawmakers examined the ability of US critical infrastructure to withstand a hypothetical cyber attack of Russia during a April 5 hearingwith witnesses for the prosecution pointing out that the water sector faces unique challenges.
Rep. Ritchie Torres — vice chair of the Homeland Security Committee and member of the subcommittee on Cybersecurity, Infrastructure Protection, and Innovation — said the United States is particularly vulnerable to cyberattacks because so much of their infrastructure is automated or digitized.
The recent arrests of suspected perpetrators from the cybercrime group LAPSUS$ are also a reminder that cyber attackers need relatively few resources to cause massive damage.
“LAPSUS$ has shown that with just $25,000, a group of teenagers can get into organizations with mature cybersecurity practices,” said Amit Yoran, CEO of cybersecurity risk management firm Tenable. “Consider Russia with much deeper pockets, focus and a mission targeting critical infrastructure.”
The water sector could be particularly at risk and has already been labeled by the Cyberspace Solarium Commission’s Executive Director, Mark Montgomery, as “critical infrastructure”weakest link.”
Strengthening water system defenses could mean deepening industry-federal partnerships to ensure water entities receive timely and actionable guidance tailored to their specific contexts, as well as establishing minimum cybersecurity standards. industry-wide, Kevin Morley, federal relations manager for the American Water Works Association (AWWA), said during the hearing.
The water challenge
Unlike its more consolidated critical infrastructure counterparts, the water sector is in the hands of a wide range of organizations, many of which are small and under-resourced.
“There are more than 45,000 community water systems serving fewer than 3,300 people,” Morley told federal lawmakers.
The industry also relies on a variety of physical infrastructure, and updating operational technology (OT) can be slow, particularly because services need to run 24/7.
“Rehabilitating or upgrading these OT systems can often be a three- or four-year capital improvement project to ensure the system continues to function throughout that time. So it’s not a quick process, but the support from our federal partners is encouraging,” Morley said.
Operational technology systems are also increasingly connected to the Internet or cellular to enable remote data collection to support activities such as metering and billing or predictive maintenance of equipment, Yoran noted. But these connections must then be protected against potential cyber vulnerabilities.
Rep. Carlos Gimenez, R-Fla., suggested removing those risks through a mandate prohibiting critical infrastructure operators from connecting operational technology to the external internet, which Yoran said operators would likely find impractical.
The White House has also drawn attention to these vulnerabilities and recently raised funds for CyberSentry, a voluntary program that deploys sensors to monitor the OT and IT networks of participating critical infrastructure owners and operators. The new appropriations bill provides $95.5 million more than the Cybersecurity and Infrastructure Security Agency (CISA) requested for the program, according to LawFare.
Get the right communications
Morley said the “Shield’s Up” website CISA recently launched Explaining how organizations can improve their cyber posture has helped consolidate useful information into one space, allowing organizations to stay up-to-date with the latest threat information and mitigations.
Still, federal partners must ensure that threat alerts and advice are not too technical for smaller water entities to analyze and understand how to apply to their particular systems and contexts, Morley said. . After all, many of these entities do not have cyber personnel to decipher the information.
It is a place where industry partnerships can start, with the Environmental Protection Agency (EPA) and other water sector groups able to frame threat information to be most relevant to their space.
“Some reviews, in some cases, have a certain level of technical sophistication that probably requires a bit of contextualization. And that’s why we would encourage a little more front-line engagement between EPA and CISA, to make sure that this information is actionable for our members at the lowest level,” Morley said.
Entities also want to receive threat alerts from governments as quickly as possible.
Many witnesses at the hearing praised the Joint Cyber Defense Collaborative (JCDC) and government efforts to declassify and share information faster, but any extra speed matters.
Sharing government information can be slowed by worries about what to declassify, but Morley said water entities rarely seek out sensitive details like those about attributions and tactics. Instead, they often just want to know when a new vulnerability has been detected and what they need to do to mitigate it.
Another piece of the puzzle is ensuring that entities maintain their cyber hygiene and do at least the basics of defense. At this point, Morley argued for the creation of a minimum set of “risk and performance-based” cybersecurity standards for water sector entities.
Government technology is a sister site of Governing. Both are divisions of e.Republic.