Hurricanes remind us our water systems are at risk of cyberattack
As the nation watches in horror at the terrible flooding Hurricane Harvey and Hurricane Irma has caused, we are reminded of the destructive power of water. While the flooding is already historic and largely unprecedented, we need to ask whether it could happen again, and whether the kind of damage inflicted could only happen due to a natural disaster. Unfortunately, the answer to the first question is yes, it could happen again. Hurricanes, from Katrina to Sandy to Harvey, and their effects are growing increasingly fierce and insufficiently rare. The answer to the second question is also unfortunate. Due to increased vulnerabilities, and an increased willingness among hackers to target critical infrastructure, the opportunities for a man-made water disaster are also growing.
In 2016, the U.S. Department of Justice indicted an Iranian national for repeatedly obtaining unauthorized access to the industrial control systems of the Bowman Dam in New York state. According to the DOJ, this unauthorized access allowed the attacker to repeatedly obtain information regarding the status and operation of the dam, including information about the water levels, temperature and status of the sluice gate, which is responsible for controlling water levels and flow rates. That access would normally have permitted the attacker to remotely manipulate the Bowman Dam’s sluice gate — to potentially devastating effect — but fortunately, the sluice gate had been manually disconnected for maintenance at the time of the intrusion.
{mosads}This is but one example of the devastating potential for a cyberattack on the nation’s water infrastructure. According to the U.S. Department of Homeland Security, the national water system consists of about 160,000 public drinking water systems and more than 16,000 public wastewater systems, many of which are becoming increasingly connected and interconnected. This developing network introduces efficiencies, relieves some of the burden on the aging water infrastructure, and introduces opportunity for better coordination and information sharing. However, this network also creates opportunities for attackers to cripple or contaminate the system and cause a large-scale, cascade of disruption to our water supply and wastewater systems.
In addition, as the line between information technology and industrial or operational controls is blurring with the advent of web-enabled sensing and measuring technologies, there is also a growing tension between the two. For example, IT at times needs to go offline to allow for patching and updating, while industrial controls are expected to run continuously. And while IT may be centralized, industrial control components may be widely dispersed and located in publicly accessible areas where they are vulnerable to physical tampering.
The U.S. National Infrastructure Advisory Council, a group commissioned by the president’s National Security Council to review the federal government’s capability to secure critical infrastructure against cyberattacks, recently warned of a “narrow and fleeting window of opportunity before a watershed, 9/11-level cyberattack” occurred against that infrastructure.
Indeed, as Congress comes back into session this week, they will confront the aftermath of Hurricane Harvey. But as they work to help fund response and recovery efforts, they must also look ahead to shore up prevention, including from man-made, cyber-enabled events. They need to find ways to better assist owners and operators of water facilities and dams to scan and sanitize their systems of any existing malware, encourage growth of cybersecurity expertise, heighten deterrence against criminal and nation-state hackers, enhance actionable information sharing, including of classified intelligence, and further assist even the smallest operations to make cyber improvements.
But as much as governments can and must assist, the fact remains that industry has an indispensable role in protecting itself. Just as we rely on the police to protect us but still have to lock our doors and windows, so too must we take a public-private partnership approach to cyber threats. And while technology can help protect against, and recover from, cyberattacks, there is no one silver-bullet technological solution. That fact makes the lack of holistic cybersecurity guidelines specifically tailored to the water sector troubling.
That said, there are resources immediately available that can be used to get ahead of the risk. The Water Sector Coordinating Council, in conjunction with the DHS and the U.S. Environmental Protection Agency, has published helpful roadmaps towards increasing cybersecurity in the industry. In 2015, the DHS issued “Dams Sector Cybersecurity Framework Implementation Guidance.” Other best practices and standards exist, which are useful in fashioning a holistic, proactive, risk-based and well-practiced cyber strategy.
For example, the National Institute of Standards and Technology has a “Framework for Improving Critical Infrastructure Cybersecurity,” which sets out a risk-based methodology and best practices to improve the cyber defenses of critical infrastructure. This framework is not, however, a check-the-box approach. It requires a thorough risk analysis and the application of sound judgment to mitigate identified risks. In addition, DHS publishes useful recommendations, including its “Seven Steps to Effectively Defend Industrial Control Systems.”
Ultimately, protecting the nation’s water system requires that both the government and the private sector step up their efforts before the window of opportunity to avoid a watershed cyber disaster closes. As Presidential Policy Directive 8, drafted in the wake of Hurricane Katrina to help mitigate future calamities, reminds us, “Our national preparedness is the shared responsibility of all levels of government, the private and nonprofit sectors, and individual citizens.” With the nation reeling from the effects of Hurricane Harvey and Hurricane Irma, and with cyber vulnerabilities to the nation’s water systems increasing, the time is now.
Michael Bahar is leader of the U.S. cybersecurity and privacy team at Eversheds Sutherland. He previously served as staff director and general counsel to the minority staff of the U.S. House of Representatives Permanent Select Committee on Intelligence and as deputy legal adviser to the National Security Council under President Obama.
The views expressed by contributors are their own and are not the views of The Hill.
Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. Regular the hill posts