By D. Lee Forsgren & Dave Ross
July 1, 2021 at 5:00 am ET
In February 2021, a cyberattacker hacked the Oldsmar, Fla., water utility with the intent of adding harmful quantities of chemicals into the drinking water that serves the city’s 15,000 citizens. An attentive utility employee saw his mouse being moved around his computer screen by the hacker and thwarted it.
A month later, a released indictment showed that a water district worker in Ellsworth, Kansas, was charged for logging into the plant’s computer system in March 2019 with the intent of harming the water used by residents in eight counties. And in the past few years, water utility systems in Lansing, Mich.; Jacksonville, N.C.; and Fort Collins, Colo., have been victims of ransomware attacks.
Our nation’s water and wastewater operators are everyday environmental heroes, but the Oldsmar incident took that community-first mentality to a different level. The Ellsworth incident, however, reminded us that even in an industry filled with public servants, we must be vigilant for bad actors.
Just as cybersecurity is the latest challenge for oil pipelines following the five-day shutdown of the Colonial Pipeline last month after a ransomware attack, the nation’s roughly 150,000 public drinking water systems that serve more than 80 percent of Americans are grasping the growing danger to their critical infrastructure.
They should, and so should the American public and our elected officials, because a successful attack against a drinking water system could harm public health and disrupt our way of life.
Cyberattacks against water systems have become more sophisticated and dangerous in the past year. Earlier incidents focused on financial crimes, such credit card theft and mining of personal information. In the Oldsmar incident, dangerous levels of chemicals could have been released into the drinking water before an alert plant operator quickly lowered the level. Recent events demonstrate that criminal cyber networks are more frequently turning their attention to infrastructure, and there is growing evidence that nation-states have broad capabilities in this arena, opening up a new front in our national security complex.
We have spent much of our adult lives on water-related issues. Most recently, as the deputy assistant administrator and assistant administrator for the Environmental Protection Agency’s Office of Water, we worked closely with the career experts within our homeland security and water program offices to better integrate cybersecurity risks in the water sector within our national response framework. That includes adding EPA to the Cyber Working Group, a cross-agency federal task force focused on implementing a whole-of-government approach to responding to attacks on the nation’s 17 critical infrastructure sectors.
The good news is that our national security complex and EPA have been working to protect the nation and our water sector from cybersecurity risks for the past several years. While the public and media are growing more aware of those risks, behind the scenes our government experts have been hard at work carefully tracking and responding to these developments. The water sector is also working hard on the issues, developing planning and training tools and other resources for individual utilities to deploy.
But the bad news is that there is much more we can and should be doing to protect our water systems and the public health and ecological systems that depend on their daily performance. Many of public water systems need additional financial resources to prevent and respond to sophisticated cyber assaults, while others lack the technical capabilities to deploy advanced cybersecurity safeguards and strategies. And critically, there is currently no regulatory requirement that water systems report such attacks and even when an attack is known to EPA and other federal agencies and the attack method can be determined, the agencies lack the ability to quickly communicate this information to the nation’s water systems. Complicating that information flow is the tricky business of acting on and sharing classified information.
What specifically is needed? First, to protect all systems, the government must be aware of all cyberattacks and be allowed to investigate each attack’s method and impact so that warnings can be issued, and corrective actions deployed in systems with similar vulnerabilities.
While current law may give EPA authority to require reporting, Congress should specifically clarify that authority. There is some hesitancy in the water sector to disclose cyberattacks, either publicly or to regulatory authorities, and there is some legitimacy to those concerns. For example, public disclosure may impede criminal investigations or may cue identification and capture risk to the hackers prematurely. Having Congress establish a workable framework balancing the need for public awareness and national security will alleviate the confusion and concerns for the regulated water sector and provide a path forward to accurate and timely information flow.
Second, Congress should give EPA the authority to authorize federal review of water systems to understand the scope of vulnerability from cyberattack, individually and cumulatively across the water sector. America’s Water Infrastructure Act of 2018 requires all community water services serving more than 3,300 people to conduct risk and resilience assessments every five years to get a firm handle on how malevolent actions could harm their systems. That is an excellent start, but enhancements are needed to better utilize this information more systemically.
Third, EPA and other federal agencies need to develop and maintain the ability to disseminate threat information immediately to all water systems. That includes overcoming the classified versus unclassified information sharing and timing impediments to information flow and closing the existing data gaps and currency problems in existing EPA databases for all regulated water utilities in the United States.
Fourth – and critically important – Congress should allocate sufficient funds (at least $10-$20 million annually) to EPA beginning in fiscal 2022 to provide it with the resources required to carry out these specific public health protection responsibilities. Unlike agencies with dozens of full-time staff for countering cyber threats, EPA currently has very few if any dedicated full-time staff for these tasks. EPA’s experts in these areas frequently share other emergency response or related duties.
Finally, while members of Congress are likely to propose bills this legislative session that address cyber and data security – including a comprehensive, federal privacy bill with a strong data security component – a broad call to action from the public is essential to urge the administration and Congress to safeguard not just our drinking and surface water resources, but the specific control systems that are used to run our water and wastewater utilities. Those are the entry points that are currently being probed by our domestic and foreign adversaries, and our incredible water sector professionals need our help so that they can keep helping us enjoy our daily lives.
I think we can all drink to that.
Dennis Lee Forsgren served as deputy assistant administrator for the Office of Water at EPA from June 2017 to January 2021 and is currently counsel at HBW Resources LLC.
David P. Ross served as assistant administrator for the Office of Water at the EPA from January 2018 to January 2021 and is currently a partner with Troutman Pepper LLP.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.