Recent cyberattacks on U.S. water systems, including an incident involving an Iran-linked hacker group targeting a water authority in western Pennsylvania, have heightened federal focus on the cybersecurity vulnerabilities of water utilities. These attacks, which also affected a North Texas water utility with ransomware, did not disrupt water supplies but underscored the urgent need for improved cyber defenses.
Anne Neuberger, Deputy National Security Adviser for Cyber and Emerging Tech, emphasized the importance of these events as a wake-up call for utilities to enhance their cyber hygiene. The U.S. water system consists of about 150,000 individual systems, most of which are small, municipality-run entities with limited resources for cybersecurity staff and training. Many of these systems rely on older infrastructure, complicating upgrades and cloud integration.
Prior to these attacks, the Biden administration faced challenges in regulating cybersecurity in the water sector. An attempt by the Environmental Protection Agency to integrate basic cyber questions into sanitation inspections was withdrawn due to legal challenges.
However, a recent report by Microsoft and the Cyberspace Solarium Commission 2.0 (CSC 2.0) suggests ways forward. It recommends that water sector operators conduct risk assessments, implement multifactor authentication, and utilize available state funds for cybersecurity improvements. Over the next year, initiatives by Microsoft, the Cyber Readiness Institute, and the Foundation for Defense of Democracies will focus on coaching small water utilities in cybersecurity and employee training.
Tom Fanning, Executive Chairman of Southern Company, highlighted the urgency of the situation, urging water utilities to proactively utilize available cyber resources without waiting for new regulations.