Protecting the supply chain from hacks has been top of mind due to recent high-profile attacks, but members of the National Cyberspace Solarium say an area of critical infrastructure they are most concerned about is water security going forward.
The recent Florida water hack put on display just how insecure the cybersecurity to protect water infrastructure currently is, Solarium commissioner Dr. Samantha Ravich said today at the fourth Hack the Capitol Event hosted by ICS.
“The Oldsmar, Florida, attacking in February, demonstrated a system with numerous basic cyber hygiene processes not being followed,” Ravich said on a panel with other Solarium members. “The ease with which an even inexperienced hacker could alter the performance of automated production chemical balancing systems. But this was a significant incident that, that almost occurred, it barely was avoided.”
Ravich went on to decry the sector’s lack of investments in cybersecurity and the lack of attention paid to cybersecurity in water distribution in general.
“It’s a very different condition than other lifeline infrastructures, such as energy financial services or telecom where cybersecurity – while it’s not perfect by any means – has significantly had more attention paid to it,” Ravich said.
“That is not yet the case, by and large, in water infrastructure. So, both industry, which is composed of largely small … local municipalities, and the U.S. government, represented by the EPA (Environmental Protection Agency) have not kept up with the increasing risk driven by the automation of water production and distribution systems. A significant effort by both sides of the public-private partnership is actually needed to reduce the vulnerability so we’re I think we’re impressed to have the efforts focused,” she added.
Mark Montgomery, the panel’s moderator and a commission member himself, noted the Safe Drinking Water Act that recently passed in the Senate with broad bipartisan support had some cybersecurity measures included, but still did not invest largely in securing the sector. He added that the potential for distrust in the safety of water could wreak havoc.
“The idea that you if you went around the country in three or four spots and created poor chemistry … that caused young people or old people to become ill, and it all happened simultaneously … people would lose confidence in the credibility of the water supply because people don’t know whether or not they can sense whether the water is good or not,” Montgomery said.
Rep. Mike Gallagher, R-Wis., conferred with his fellow solarium members about the potential havoc distrust in the water supply would create and proposed a few fixes Congress could look at to legislate the issue.
“It’s really hard to overstate just the chaos that would ensue if you really started messing with people’s water supply and the lack of confidence that that would produce,” Gallagher said.
“This issue of critical tech technology security centers [is] one of the commission’s proposals with appropriate funds for the executive branch to select designated fund up to three critical technology centers that would centralize efforts in evaluating and testing, common technologies such as ICS (integrated computers solutions) in critical infrastructure,” Gallagher added.
The congressman also noted that he and his colleagues are working on “sticky legislation” that would create a process for the Department of Homeland Security to designate certain critical infrastructures as “systematically important.” This would require the designated entities to abide by additional security certification and incident reporting requirements but would also give them the benefit of Federal government intelligence and sharing liability protections.
These recommendations will be on the commission’s mind as it gives new recommendations it hopes to have incorporated into the 2022 National Defense Authorization Act.