In March 2023, the U.S. Environmental Protection Agency (EPA) announced a new plan to improve the digital defenses of public water systems, with the EPA’s assistant administrator for water putting the gravity of the issue in clear but stark terms.
“Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable,” Radhika Fox wrote in the EPA’s official announcement. “Cyberattacks have the potential to contaminate drinking water, which threatens public health.”
That recent warning involving an industry where there’s no one-size-fits-all approach to addressing vulnerabilities in operations and assets offers a backdrop to today’s conversation about cybersecurity in Black & Veatch’s 2023 Water Report, based on survey responses from roughly 450 U.S. water sector stakeholders.
Among the key findings: utilities overwhelmingly demonstrate great awareness about the importance of and need for cybersecurity as they continue to make progress in hardening their systems against such attacks. Eight in 10 respondents reported that cybersecurity is the most important investment in the security of their assets. While that’s certainly positive, only 57 percent believe physical security — a prerequisite for cybersecurity — is the most critical investment (Figure 18).
That gap in prioritization may result in vulnerabilities in one — or both — of these areas. While it’s encouraging that such a high percentage of respondents are addressing the need for strong — or stronger — cybersecurity practices, there’s opportunity for more collaboration among cybersecurity and physical security professionals to take a more holistic approach to their security programs.
Taking the data a step further, when asked about the strength of their cybersecurity program, nearly half (46 percent) reported that they have a formal, robust cybersecurity program, down from 59 percent in 2022 (Figure 19). Why are fewer utilities today feeling confident about the strength of their cybersecurity program? One explanation for the drop-off may be the fact that water utilities are undergoing a change in their worker profile.
As hackers relentlessly prod and probe systems for vulnerabilities to exploit, what exactly are today’s most pressing cybersecurity risks that utilities are facing? The 2022 “Verizon Data Breach Investigations Report” points to ransomware as the most frequent, accounting for one-quarter of all breaches — and utilities are taking note.
When asked by Black & Veatch to identify which efforts their utility needs most to mitigate cybersecurity risks, six in 10 respondents cited continuous monitoring — one of the best ways to detect malicious activity. Other top replies included IT/OT modernization (54 percent), network segmentation (45 percent) and assessments (37 percent).
Similarly, having a clear remediation plan is gaining more sway among utilities, with roughly one-quarter — 24 percent — of respondents casting having such a clear corrective roadmap as important, up from 9 percent just a year earlier.
That said, utilities prefer to be trusted to go it alone with their cybersecurity without governmental oversight. Seven in 10 respondents (72 percent), when asked if they would prefer cybersecurity to be regulated and have a compliance standard or prefer it to be self-governed by the utility, chose the route of independence. Given the high cost of complying with federal regulations observed in other sectors — as well as competing needs for limited utility funds — utilities simply may see a cost benefit in managing cybersecurity without federal oversight, regardless of the security implications that may result.
That’s not to say they don’t desire or enlist outside help; nearly 80 percent of respondents say they’ve hired or consulted with cybersecurity experts or information security engineers — whether it’s having full time staff, consulting with external experts or hiring on a part time or contract basis (Figure 20).
The bottom line, according to Black & Veatch’s survey: utilities have strong efforts in place to mitigate against today’s biggest security threats. While competing interests and limited resources create even more headwinds, U.S. water utilities appear to have the foundation — and no shortage of expert consultants such as Black & Veatch to help them navigate complexities — to continue building strong, robust cybersecurity programs to protect such undeniably critical human infrastructure.
