Critical Infrastructure Security,
Governance & Risk Management,
Operational Technology (OT)
Fragmented Governance and Scarce Resources Make America’s Water Sector Vulnerable
In a stark revelation, America’s water utilities have been identified as the most cyber-vulnerable sector within the nation’s critical infrastructure. This alarming finding emerged during a congressional hearing where it became evident that cybersecurity in this essential service is under the jurisdiction of a poorly coordinated and fragmented network of government agencies. Moreover, many of these utilities, especially smaller ones, are plagued by resource constraints that significantly limit their ability to confront the growing cyber threats they face.
Rep. Scott Franklin, R-Fla., who chairs the environment subcommittee of the House Science, Space, and Technology Committee, emphasized the profound implications a successful cyberattack could have on water treatment and distribution systems. His concerns highlighted the potential widespread repercussions, which could extend beyond the water sector into chemicals, manufacturing, and energy, along with severe ramifications for emergency response services, healthcare facilities, firefighters, and even food production. He pointed to similar incidents where foreign hackers have previously targeted water systems, indicating a pressing threat that cannot be ignored.
The vulnerabilities in America’s water infrastructure, according to Franklin, are further exacerbated by aging information technology systems and the heavy reliance on supervisory control and data acquisition systems. These operational technologies have become prime targets for malicious cyberattacks, as underscored by the congressional discussions. The United States is home to over 50,000 water systems that cater to communities ranging from a few hundred residents to those with millions. The diversity in scale further complicates efforts to ensure robust cybersecurity across the board.
As discussions progressed, other panel members echoed Franklin’s concerns regarding the resource shortcomings faced by water utilities. Smaller facilities rely on a dwindling user base that is often unable to shoulder significant increases in water rates, leaving little room for dedicated cybersecurity budgets. Rep. Zoe Lofgren, D-Calif., who serves as the ranking member of the full committee, alarmingly noted that over 70% of the water systems inspected by the Environmental Protection Agency (EPA) since 2023 fail to meet basic security practices. This inadequacy renders these systems increasingly susceptible to threats posed by both cybercriminals and state-sponsored hackers.
Lofgren highlighted how recent advisories from the Cybersecurity and Infrastructure Security Agency (CISA) and other organizations had reported encroachments into water systems by hackers associated with China, Iran, and Russia. The testimony during the hearing underscored a painful reality: expecting small utilities to adequately defend against sophisticated nation-state threats is unrealistic.
Virginia Wright, who manages the cyber-informed engineering program at the Idaho National Laboratory, articulated the need for creative solutions. Most small utilities lack dedicated cybersecurity personnel or any IT department; their budgets are solely focused on delivering essential services. Wright presented the idea that while cybersecurity measures are vital, they may not suffice alone, particularly in a landscape where adversaries are both well-resourced and highly skilled.
She introduced a simple yet effective engineering tool aimed at mitigating damage from potential cyber incidents: a time delay relay. This component can slow down commands to critical infrastructure, minimizing the potential for detrimental outcomes even in the event of a successful cyberattack. It operates devoid of software, rendering it immune to hack attempts. The relay buys time, allowing manual operation of systems in case of an attack, thus preventing catastrophic failures.
The most prominent threat actor currently probing U.S. water infrastructure, as identified by Josh Corman from the Institute for Security and Technology, is Volt Typhoon, believed to have ties with the Chinese military. Corman elaborated on the strategic implications of cyber operations against utilities that support U.S. military bases, noting the potential to disrupt force mobilization in critical situations, such as a Taiwan conflict. Such tactics aim not only to destabilize military readiness but also to instill chaos within civilian infrastructures, potentially eroding public confidence in governmental responses.
Frustration was palpable as Corman expressed his weariness with merely waiting to see when the next attack would occur. He called for proactive measures to address these challenges, aiming specifically at high-risk systems that provide water to crucial facilities like hospitals.
The discussion also revealed an alarming level of fragmentation in governmental support for water system cybersecurity. Witnesses pointed out that funding and resources are scattered across various agencies, including the EPA, CISA, and Federal Emergency Management Agency (FEMA), creating a convoluted landscape for small communities to navigate. David Hinchman from the Government Accountability Office noted that the historical federal role in infrastructure security was shifting, delegating more responsibility to state and local governments without providing sufficient guidance or support.
While there are inherent challenges in the infrastructure security framework, Hinchman emphasized possible pathways for progress. Creative solutions, including mandatory risk assessments and resilience plans mandated by the EPA, have been proposed but often fail due to legislative restrictions preventing the collection of comprehensive data across the sector. Collaboration among agencies, alongside leveraging existing authorities, could lead to a more unified and effective approach to securing America’s vital water systems from future cyber threats.