There has been renewed focus on cybersecurity as critical infrastructure, as some crucial infrastructure in the US has been subjected to cyber hacks.
In 2019 a Kansas water treatment plant was tampered with, and in February 2021, hackers infiltrated a Florida water treatment plant.
Unlike traditional big power companies with robust security systems in place and set up digital barriers to bolster their defenses, local and municipal-owned infrastructures are most prone and vulnerable to attack.
Some of them have weak controls and lack a security measure called an “air gap,” a digital device or private local area network (LAN) that isolates it from other devices and networks. Hence a strategy protects the critical computer system and data from unauthorized access.
In the case of the Florida water treatment plant, their staff has used the same password to access the software.
SC Media reports that the rising cybersecurity threats in the US critical infrastructure have led water sector representatives and industry groups to Congress. They asked Congress for the total funding of existing programs and open new subsidies to replace aging infrastructure, update digital defenses, and train new staff.
Operators and industry representatives have testified in front of the House Homeland Security Committee about the poor state of utilities and their outdated equipment across the state, making them an easy target for criminal and nation-state hackers because they do not have sufficient revenues nor local and state funding to address these problems.
The article notes that government-sponsored cyberattacks are a growing threat besides aging infrastructure problems. Years of neglect and lack of maintenance have resulted in unsafe drinking water supplies, as seen in Flint, Michigan, and the most recent one in Jackson, Mississippi.
In addition, utility operators face a heightened digital security threat, which today is not limited to malicious hackers but is becoming a national security problem as foreign government-sponsored cyberattacks are increasing.
Cybersecurity is becoming a priority for water infrastructure operators, and preventing it means limiting physical and remote access to their data systems and placing continuous monitoring capabilities for potential digital threats to block some forms of cyber-attack. But to do this will require more support and funding from the federal government.
Funding could come from the Infrastructure Investment, and Jobs Act passed last year, which authorized cybersecurity-related programs.
“One of those programs would empower the director of the Cybersecurity and Infrastructure Security Agency and the administrator of the Environmental Protection Agency to develop a framework for prioritizing systemically important assets in the water sector.”
“The agencies must assess how capable they are of defending against digital vulnerabilities and determine whether a cyber-attack that rendered their systems inoperable would have broader effects on water infrastructure or availability. The agencies would also be on the hook for developing a technical support plan to assist those entities with penetration testing, vulnerability and risk assessments, and other capabilities.”
The article also notes the lack of funding for cybersecurity is one of the many problems that plague the water sector. A 2021 report from the American Society of Civil Engineers reveals a US1 trillion investment gap in water infrastructure, including cybersecurity.
Applying asset management principles and programs will help ensure the security and resilience of critical infrastructure and continue to function without disruption from cyber-attacks or external threats on its automated or computerized operation.
[…] 12 days to complete, shows that when infrastructure is given an emergency priority – particularly critical infrastructure with many economic and social implications- fast action and implementation are […]