Securing critical infrastructure is complicated because of the vast network of facilities and management systems. Threats targeting this sector can have dire consequences, and when attacks do happen, they're often accompanied by a media storm. This generates interest among concerned citizens, which prompts a reaction from politicians, who are spurred into action to ensure the necessary cyber protections are implemented to calm the concerned citizens — the electorate.
The 2021 ransomware attack on Colonial Pipeline, which caused long lines at gas stations, followed this very timeline and served as a much-needed wake-up call to protect critical infrastructure services against cyberattacks. The attack prompted action at the highest levels of US government, causing the president to expedite an executive order aimed at strengthening US cybersecurity defenses. The executive order, in brief, requires disclosure of incidents, creates a federal playbook for incidents, mandates cybersecurity upgrades, creates a review board, and, importantly, encourages an ethos of cyber-intelligence sharing between government agencies and the private sector.
The emphasis on cybersecurity due to the increased threats to critical infrastructure — including cybercriminals attempting to monetize their efforts, terrorism, and the conflict in Ukraine — is unprecedented. In the current budget proposal, the Cybersecurity and Infrastructure Security Agency (CISA) will receive $2.93 billion, $417.1 million more than it requested. There are numerous grants available to critical infrastructure organizations to assist funding the much-needed improvements to cybersecurity; in April 2022, CISA and FEMA began rolling out the first $1 billion from the Rescue Act to help state and local entities improve cybersecurity. Testifying before the House Homeland Security Subcommittee, Jen Easterly, director of the CISA, used the cyberattack on the Oldsmar, Fla., water utility plant as an example of an attack on critical infrastructure to justify the original request.
Enormous would be an underestimate of the task of upgrading the cybersecurity of water supply and wastewater systems in the US. According to American Water, there are 53,000 water supply and sanitation providers in the US. The Environmental Protection Agency (EPA) calculates this differently, and lists 148,000 public water systems (not companies).
If, like me, you live in a rural community, the company supplying your water is likely a small local business providing a critical infrastructure service. On Feb. 5, 2021, the water treatment system servicing Oldsmar City suffered a cyber incident: A poorly secured remote-access solution based on TeamViewer was accessed by a perpetrator, who adjusted the amount of sodium hydroxide in the water from 100 parts per million to 11,000 parts per million. Fortunately, a city water plant operator noticed the increase and reversed it, stopping the attack and the potential poisoning of thousands of people. It was later disclosed that the system accessed wasn't protected by two-factor authentication and was protected by a weak, shared password. There really is no excuse.
The Wall Street Journal's CIO Journal suggests that technology spending as a percentage of revenue in banking and securities is around 7%, and in construction and manufacturing just 2%. Given that water supply is a critical infrastructure service and has been specifically called out as needing cybersecurity investment, it is reasonable to expect spending on IT, including cybersecurity, to be at the higher of these two levels. A report by Deloitte breaks this number out for cybersecurity spending, which they estimate to be 10.9%.
The $2.5 Billion Scope of the Problem
What does this mean in a rural water system company, without shaming any particular company? I will use a real-life example without naming the company. Company X has a total revenue budget of $12.4 million per year, with an operating cost for computer services of $211,000 for the same period. There are some costs for IT-related items that may be outside of the operating budget and are attributed to capital spending. For the fiscal year 2021–22, the only item that could have cybersecurity element is a $50,000 cost for SCADA/telemetry/electrical control replacement.
This equates to IT spending (listed as computer services) of 1.7%, and even allowing that 50% of the capital expenditure item is cybersecurity, which is unlikely, this becomes 1.9%. Using the earlier mentioned cybersecurity estimate of 10.9%, the spending on cybersecurity is just under $22,000 per year, for an organization with $12.4 million in revenue. In a sector under continual threat, it's not unreasonable to expect spending to replicate that of financial organizations, which, in this instance, would equate to an IT spending of $868,000, with cybersecurity accounting for just under $94,000 per year.
The water sector does benefit from federal assistance, and the EPA has requested $25 million in fiscal year 2023 for a new grant program to advance cybersecurity infrastructure capacity and protections within the water sector. If you do raw math on this and distribute it among the 54,000 organizations, it equates to less than $500 each. There may be other funding and grants available, but the point isn't the numbers, it’s the magnitude of the problem. To fund each water supply organization $50,000 for cybersecurity, a more realistic number, a budget of $2.5 billion would need to be set aside.
Years of underinvestment in critical infrastructure security isn't something fixable in the short term. The complexity of dealing with 53,000 organizations (around 50,000 of them rural) and attempting to bring them all to a basic level of compliance is a mammoth task. All of this comes at a time when inflation is rampant, and the cost of energy is high.
One Possible Solution
There is always a solution. One idea is that the IT services of water supply companies would be better serviced if they were grouped together, centralizing internal services.
If, for example, 10 companies joined together for IT and cybersecurity, there would be numerous benefits: financial, resources, communication, compliance, policy, etc. This would be similar to the way individual schools are part of a school district, with one, single governing body. This is just one solution, and I'm sure there are many options that could be pursued that could help alleviate the financial and resources burden facing the critical infrastructure sector.