Two bipartisan Senate bills reintroduced by US Senators last week aim to boost the cybersecurity defenses of small water and wastewater utilities.
Any move to enhance cybersecurity in the water sector is welcome and overdue following calls last year from the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA) for the industry to secure remote access to Human Machine Interfaces (HMIs) following an attack by pro-Russia hacktivists.
Time to Act
The Senators introducing the bills assert that only 20% of water and wastewater systems across the U.S. do not even have even basic levels of cyber protection. They are looking to address the situation through the Rural Water System Disaster Preparedness and Assistance Act and The Cybersecurity for Rural Water Systems Act.
The Rural Water System Disaster Preparedness and Assistance Act would help rural water and wastewater utilities prepare for and become more resilient to natural disasters and other extreme weather events.
The Cybersecurity for Rural Water Systems Act would update technical assistance opportunities for cyber defense to address vulnerabilities in rural water systems.
Modernizing the Program
Both bills would modernize and increase the scope of the Department of Agriculture’s Circuit Rider Program. The program provides technical assistance to rural water systems experiencing daily financial, managerial, or operational problems. The amendments seek to improve the sector’s cybersecurity through protocols for protection and prevention and the hiring of cybersecurity experts, referred to as ‘circuit riders.’
Mike Rounds, the Republican Senator from South Dakota who co-led the Cybersecurity for Rural Water Systems Act, underlined the need for the amendments. “As our near-peer adversaries continue to utilize cyberattacks, we must have cybersecurity safeguards in place to protect our critical infrastructure, such as water systems. Our legislation would modernize and expand the Circuit Rider Program, providing cybersecurity-related technical assistance to rural water and wastewater systems.”
2024 Was a Tough Year
Ensuring the safety and security of water resources is critical for public health, agriculture, and industrial processes. Unfortunately, 2024 saw a concerning rise in cyberattacks targeting water systems. Some of the notable attacks were:
- American Water—The biggest water and wastewater utility in the United States, serving approximately 14 million people, experienced a cybersecurity incident in October 2024. The attack resulted in the shutdown of its call center and the disconnection of its customer portal and billing platform.
- Arkansas City Water Treatment Facility – The City’s Water Treatment Facility had to switch to manual operations while a cyberattack, which occurred in September 2024, was being resolved. The incident was investigated by the FBI and the U.S. Department of Homeland Security.
These attacks were accompanied by apologies and assurances but without detailed public disclosures. Any disruption to the digital ecosystem of a drinking water or wastewater system could significantly impact the community it serves and other critical infrastructure. It seems as though 2024 acted as a wake-up call in terms of governance. Recommendations and then urges from authorities have proved insufficient, and now legislation is being proposed, so organizations are forced to act.
Expert Analysis
Evan Dornbush, a former NSA cybersecurity expert, has provided his expert analysis of the current situation, as well as his view on the proposed bills.
“We’ve already seen multiple examples of foreign actors attempting to, and successfully breach the technology utilized by water systems using zero-day exploits and remaining undetected for extended time periods. Building a consolidated program for operators to cost-share on monitoring, remediation, and information-distribution efforts sounds like a national imperative at this point in history.”
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.