Commentary: For Better Water System Security, We Need More Carrots, Not Sticks

By Charlie Moskowitz

It has been another record-breaking year for cybersecurity incidents. According to Identity Theft Resource Center (ITRC) research, data breaches in just the first nine months of 2021 surpassed all breaches in 2020 by 17 percent. Many of these incidents have been met with a collective shrug from a public now seemingly resigned to data theft from major consumer and retail brands, but the intrusions into IT systems in critical infrastructure — such as Colonial Pipeline and the Oldsmar water treatment plant — demonstrate that weak cybersecurity has the potential to cause significant damage to the nation’s economy — and can even have life-threatening consequences.

Infrastructure Vulnerabilities Persist

Cybersecurity experts have been sounding alarms about the security of the nation’s critical infrastructure, from financial systems to public utilities, for years. Unlike the financial sector, the water sector is a kaleidoscope of public and private operators ranging from massive behemoths to what could only be described as “mom and pop” operators working on a shoestring budget with only a handful of employees.

While the largest utilities may have the expertise and funding needed to maintain strong cybersecurity controls, 90 percent of water utilities across the country service less than 5,000 people. Many of these smaller water utilities share or outsource their IT support and have little to no cybersecurity expertise readily available. Smaller systems simply lack the assets – human or financial – needed to adequately protect themselves. Even something like a cybersecurity incident reporting requirement might be difficult to comply with if a utility doesn’t know what an incident is, when an incident occurs, and what and how to report it.

Our adversaries, however, have nearly limitless resources. The battle that is playing out today is, essentially, an organization’s local IT expert vs. the governments of China, Russia, Iran and North Korea. That is not a battle utilities will win by fighting threats individually or forcing compliance regimes on organizations that do not have the funding to comply with U.S. Environmental Protection Agency (EPA) consent decrees to supply clean drinking water. To many water utilities, every dollar spent on cybersecurity is a dollar that is not being spent on providing clean drinking water to constituents.

Addressing Today’s Challenges with Information and Cooperation

Improving security across the 75,000 water utilities in the country will only be accomplished with greater collaboration and coordination, and by leveraging tools that are affordable and readily available. The EPA and state governments around the country need to help water utilities better understand their cybersecurity posture and work proactively to identify and resolve deficiencies before they can be exploited. Tools like security ratings can provide exactly the kind of visibility that government regulators need in order to help. Security ratings provide an “outside-in” view of a water utility’s cyber hygiene, essentially showing the regulator what the hackers are seeing.

Like a credit ratings agency, security ratings companies gather as much publicly available information as possible through a scan of the public-facing assets of an organization’s digital footprint to compile a risk score. Data points such as expired encryption certificates and out-of-date web browsers can be detected, allowing regulators to work with utility operators to identify and fix specific vulnerabilities. Government agencies can also use these ratings to prioritize and triage the most vulnerable systems. An attack on any system, no matter how large or small, rural or urban, will spread fear to every community across the country and sow doubt among the public about the safety of all water systems, even those that are unaffected by the breach.

The ability to take an objective measure of risk that government agencies can use to compare the relative security of every utility across the country allows regulators to focus on the weakest links, just as the hackers are doing. The EPA and state and local agencies can use ratings to systematically and methodically raise the floor on cybersecurity across the entire industry.

Some of these security ratings companies even offer every organization access to their own score, and a step-by-step guide to improve that score, for free. Furthermore, the easy-to-understand grading systems that ratings providers use is reducing the complexity of cybersecurity, which frees up time and resources to embattled IT teams.

Reducing Risk is Critical

Key federal agencies are beginning to understand the utility of information-sharing platforms like security ratings. The Transportation Security Administration (TSA), for example, recently stated that, “[tools] and services such as this, if in wider use, could better inform industry of certain vulnerabilities to act upon and decrease gaps in cybersecurity.”

While security ratings cannot guarantee 100 percent security (after all, nothing can), studies have shown that improving cybersecurity scores can reduce the threat of a breach by as much as 77 percent. Given the current state of cybersecurity among water utilities, a reduction in risk is badly needed and easily attainable with more visibility for operators and agencies alike and proactive support from regulators.


Charlie Moskowitz is vice president of policy and government affairs at SecurityScorecard. He has more than 15 years of policy and regulatory experience and previously served as chief policy counsel for the Democratic staff of the U.S. Senate Homeland Security and Governmental Affairs Committee.

Leave a Reply

Your email address will not be published.

*