Officials warn of cybersecurity vulnerabilities in water systems

Lawmakers and experts on Wednesday warned of gaping cybersecurity vulnerabilities in the nation’s critical water sector amid escalating attacks against a number of U.S. organizations. 

“I believe that the next Pearl Harbor, the next 9/11, will be cyber, and we are facing a vulnerability in all of our systems, but water is one of the most critical and I think one of the most vulnerable,” Sen. Angus King (I-Maine), the co-chairman of the Cyberspace Solarium Commission (CSC), testified to the Senate Environment and Public Works Committee.

“There is an incipient nightmare here, and it involves all sectors of our critical infrastructure, but water I think is probably the most vulnerable because of the dispersed nature of water systems in the country,” he warned.

King’s concerns came during a committee hearing on cybersecurity vulnerabilities in critical infrastructure that zeroed in on concerns around water and wastewater treatment facilities. 

Cyber threats have soared in recent years, including recent ransomware attacks on critical infrastructure such as Colonial Pipeline, and the water sector has not been immune. 

A hacker unsuccessfully attempted to poison the water supply of Oldsmar, Fla., earlier this year by breaching city systems that control chemical balances, while NBC News reported that a hacker separately breached a water treatment plant in San Francisco in January. The Justice Department in March indicted an individual on a charge of hacking into and tampering with water systems in a rural Kansas county.

“It was through sheer luck that none of these incidents affected customers,” Rep. Mike Gallagher (R-Wis.), the other co-chairman of the CSC, testified to the same Senate panel on Wednesday. “A more sophisticated adversary could impact the safety of thousands of Americans through a cyberattack on our water supply.”

John Sullivan, the chief engineer of the Boston Water and Sewer Commission, testified Wednesday that his organization was hit by a ransomware attack last year. While it was able to recover without any operations being compromised, Sullivan stressed that many of the nation’s 50,000 drinking water systems and 16,000 wastewater systems lack the resources and knowledge to respond to a cyberattack.

“What if, for example, the intruder was not immediately detected, and was able to manipulate pumps to drain a water tower, or restrict distribution to certain areas,” Sullivan wrote in his prepared remarks for the committee. “Such an outcome not only would have undermined the public’s confidence in their drinking water but would have carried severe impacts on the community’s infrastructure and public health.”

Sophia Oberton, the special projects coordinator for the city of Delmar, which falls in both Maryland and Delaware, noted that her 4,500 person town had only three licensed drinking water operators to perform functions from responding to line breaks to performing lead tests to compiling reports.

Oberton stressed that while her town may have less people than a city like Boston, one hacking incident could lead to “psychological panic on a national scale as communities fear their own drinking water supply could be threatened.”

“This is why small communities believe that protecting our water supplies from any cyberattack is just as important as protecting large communities,” Oberton wrote in her prepared remarks. 

Many of the nation’s water facilities are rural, and often have very few resources and training to respond to cyberattacks as opposed to other sectors, such as banking or defense, which are heavily regulated.

When questioned by committee members, Oberton said that there were no cybersecurity training requirements to obtain her water operators’ license and that there were “no specific standards” operators adhered to from the federal level on cybersecurity. Sullivan testified that the only federal regulation his organization had on cyber was self-certifying their systems. 

“So that’s a pretty open situation,” Sen. Sheldon Whitehouse (D-R.I.) quipped. “I hope very much that in this committee we will start to develop things that will help you work through this.”

The bipartisan leaders of the Senate Environment and Public Works Committee agreed with the need to take action to secure water systems, with ranking member Shelley Moore Capito (R-W.Va.) noting cybersecurity policies would likely be included in the upcoming Water Resources Development Act.

“I believe it is incumbent on us to recognize that cybersecurity is a long-term, constantly evolving challenge,” Committee Chairman Tom Carper (D-Del.) testified. “Addressing this challenge requires sustained federal investment, not one-time solutions.”