Water companies must step up on cybersecurity

As the only public utility service that we ingest, the critical importance of ensuring the safety and reliability of the nation’s water cannot be overstated. A key part of securing this vital resource is taking the necessary steps to safeguard our critical water and wastewater assets from cyber-related attacks.

America’s water companies are keenly aware of the cyber threats to our water systems — and have been taking action to ensure that our systems are secure. According to a 2018 survey of these investor-owned utilities, 91 percent have active cybersecurity programs. Last year, the National Association of Water Companies (NAWC) worked with key stakeholders to develop “cybersecurity pillars,” which serve as guiding principles around cybersecurity and compliance and provide an important path forward on this key issue.

NAWC and its member companies work to make sure customers have access to safe and reliable water that is affordable. This cannot be accomplished with water quality assessments and infrastructure investments alone. Cybersecurity must be a part of the action plan.

Last month, the Biden administration announced plans to address cybersecurity at water and wastewater systems. This expands on the Cyber Security Summit hosed by the White House in August at which two CEOs of our member companies — American Water and SJW Group — participated. In order to continue to advance this conversation, NAWC will host a Cyber Security Symposium for its members in May in Washington, D.C. Bringing industry and government stakeholders together to discuss this vital issue will help lead to solutions to safeguard our critical assets from cyber-related attacks. In the absence of national cyber mandate, NAWC member companies are taking the needed steps and making the needed investments protect customers.

We welcome the opportunity to work with our security partners to develop strategies and establish a pilot program with the Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) to guide federal cybersecurity policy for the entire water sector.

Events such as the cyberattack on the water system in Oldsmar, Fla., serve as a stark reminder of the threats and vulnerabilities that exist throughout the water sector — and highlight the dangers that must be addressed across the entire industry.

The water industry is highly fragmented with about 50,000 drinking water systems, compared to about 3,300 electric utilities. Of those water systems, about 85 percent are municipally owned. Additionally, about 90 percent of the nation’s wastewater assets are municipally owned. The largest 444 water systems serve more than half of the U.S. population, while more than 50 percent of nation’s water systems serve fewer than 500 people, representing barely 1 percent of the U.S. population.

The complexities of the nation’s water grid creates compliance issues, with some operators not having the financial or technical wherewithal to make the investments necessary to shore up their cyber postures to protect against attack.

Right now, the lack of universal cybersecurity standards for all water and wastewater utilities is resulting in certain systems failing to meet basic compliance standards. These issues should be addressed in ways that are innovative and universally accepted by all systems — regardless of ownership. That is why we continue to push for more cyber security accountability across the entire water grid. 

State and federal initiatives aimed at driving uniform cybersecurity compliance for all water and wastewater systems as proposed by the Biden administration are critical. NAWC and its member companies welcome the reexamination of the cybersecurity oversight model for the water and wastewater industry and embrace requirements such as mandatory risk-based foundational standards.

The men and women of America’s water companies live and work in the communities their employers serve. They coach basketball leagues, lead local PTOs, sing in church choirs — and drink the water. They not only have a vested interest in doing everything possible to secure the water supply from cyberattack, but as full-time water professionals, they have the leadership and technical capabilities to tackle the challenge.

NAWC and its members agree that comprehensive cybersecurity strategies must continue to evolve and support the development of effective policies that encourage more collaboration between the energy, water and gas sectors through cross-training, grid exercises, and information sharing.

Collaborative policies could include the formation of a cyber mutual assistance program that would bring industry experts together to support restoration following cyber incidents that impact operations.

Another key step to increasing cybersecurity across the board is establishing a North American Water Reliability Council to manage and develop compliance standards and to audit utility implementation. It would be an independent sector-led organization, not a government agency, similar to the North American Electric Reliability Corporation (NERC) model used in the electric sector. Additionally, creating a new regulatory office within the EPA’s Office of the Administrator to oversee the NAWRC’s proposed compliance standards would be vital to a successful program.

The security of water and wastewater systems is critical to the economic and national security of our country. As the risks and threats continue to grow and become more sophisticated, we can and must proactively change the cyber security posture across the entire drinking water sector. It is the surest path to a resilient water grid that is able to protect the communities we serve.

Robert F. Powelson is the president and CEO of the National Association of Water Companies (NAWC). He joined NAWC after serving on the Federal Energy Regulatory Commission. Powelson previously  served on the Pennsylvania Public Utility Commission from 2008-2017, spending four years as Commission chairman. Powelson is the past president of the National Association of Regulatory Utility Commissioners (NARUC) and chairman of NARUC Committee on Water.