The United States’ 148,000-plus water and wastewater utilities are likely the most diverse set of providers within the 16 critical infrastructure sectors. Governed largely by state and local municipalities, there are thousands of smaller, under-resourced utilities serving populations across the country. Regardless of size, however, these small providers face the same threats and carry the same risk to human lives from a successful cyberattack as their larger, resourced counterparts.
In this episode of the Nexus podcast, Jennifer Lyn Walker, Director of Infrastructure Cyber Defense for the WaterISAC, discusses the current state of cybersecurity within the water sector, and explores the disparity in security talent, technology, and funding available across the sector. Walker said multiple times during the conversation that the difference between the larger and smaller providers, in addition to resources, hinges on security awareness.
Many smaller utilities rely on managed service providers who may configure antivirus and some measure of security monitoring, but may not be looking at vulnerability management, or the risks posed by legacy equipment, or operational technology in place for decades.
“If you don’t know you should be doing it, then you’re not,” Walker said. “The large ones are doing what they need to be doing. They have dedicated staff. They’re actioning the alerts and hunting their systems, collaborating with the EPA or FBI if they have incidents. They're reporting their incidents.”
The Water ISAC for example, will get shared intelligence from its members on unique phishing attempts, or active attacks, but these are few and far between coming from less mature organizations. “It all comes down to the big versus the small,” she said. Water ISAC will be hosting a virtual event in October where many of these issues will be explored.
Recently, a report in The Messenger explored EPA data on the water sector that exposes some of the struggles providers are enduring. According to the article, lackluster cybersecurity funding from state and local governments puts providers behind the eight-ball. Not only are there technology gaps, but they’re also unable to hire security specialists; all of which impacts their readiness to respond to incidents.
Walker, meanwhile, urges smaller providers to understand that there are programs and funds available, and that while larger providers have secured some, smaller providers may not know they can apply, or how to apply for them.
“It comes back down to that level of awareness, that the funds are there,” Walker said. “They just don't know how to or that they need to.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.