Floods. Earthquakes. Wildfires. People have to prepare for many kinds of disruptive emergencies. Sadly, we can add a relatively new hazard to the list: cyberthreats to drinking water.

Over the past few years, according to the EPA, “federal entities have issued numerous advisories for cyberattacks against information networks and process control systems at water and wastewater systems by malicious cyber actors, including the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC)-affiliated cyber actors, Pro-Russia Hacktivists and the People’s Republic of China (PRC) state-sponsored cyber actors (known as Volt Typhoon, Vanguard Panda and other names). These malicious cyber actors have disrupted some water systems with cyberattacks and may have embedded the capability to disable them in the future.”

This is a formidable threat.

Protecting Water Is an Existential Requirement

Putting aside matters of commerce or convenience, people need clean water to survive. And more of it than you might think. World Health Organization guidance on water sanitation and health in an emergency situation estimates that a minimum of 15 litres of clean water per person per day is required just for basics such as drinking, cooking, and minimal hygiene. That rises to a minimum of 20 litres per person per day if you add bare-bones sanitation and bathing. Over 5 gallons per person per day! Suffice it to say, you do not want hackers disabling your town’s flow of tap water.

Other utility systems, such as energy or telecommunications, are also increasingly targeted by cyberthreats. But water is the only utility that you actually ingest and need to sustain life—its risk profile is naturally higher. As providers of regulated critical infrastructure, all utilities are required to conduct cyber risk and resilience assessments, reduce cybersecurity vulnerabilities, and develop emergency response plans under federal law. When it comes to water systems, however, compliance can be a tall order.

Why Water Cyberdefense Is an Issue

There are just over 1700 electricity providers in the United States. By contrast, the country has at least 148,000 water systems, ranging from large investor-owned companies with millions of customers to tiny rural systems serving just 14 customers. The infrastructure and technological capabilities of all these systems is incredibly disparate.

I work for one of the larger water utilities based in Silicon Valley which is fortunate to have the resources to sustain a pretty robust cybersecurity defense. This is not the case for thousands of smaller but no less vital water systems throughout the nation. My employer has an experienced and expert staff, as well as a host of excellent partners and service providers ensuring our information technology is segregated from operational technology. Our systems and networks are segmented and permissioned—continuously surveilled and defended (blocking ~5-million attacks against our firewalls every single day).

But a smaller water utility isn’t going to have the personnel or expertise readily available to them, nor the resources and funding required to vet and partner with effective service providers.

The US Cybersecurity and Infrastructure Security Agency (CISA) is a phenomenally good resource that provides many cyber-hygiene services free of charge (particularly helpful for some of the smaller water utilities). But the available security frameworks are essentially designed for any business, not for water utilities specifically. They’re more descriptive than prescriptive. And this leaves a lot of water systems vulnerable.

And in truth, there is no magic solution that will make all our water systems impervious to threats, and there is no such thing as perfect cybersecurity. Even if a utility has excellent cyberdefenses, if a sufficiently sophisticated cybercriminal organization attacks that organization, they are probably going to succeed in wreaking some form of havoc. Regardless of size, your local water company can’t halt an army of PRC hackers.

But that doesn’t mean we can’t reduce the level of potential disruption and minimize the likelihood of catastrophe. It doesn’t mean we can’t make all water systems more secure.

Cultivating Collective Strength

I’ve spent a lot of time monitoring hacker forums and have noticed that black hats are very obliging amongst themselves. Someone will post about a problem (for example, “I’m trying to break through this firewall. I’ve done x and y, but then I get z…any advice?”). This will generate dozens of helpful responses (“Oh, here’s a bit of code you can try” or “Have you thought about this approach…?”).

All these people are happy to talk to each other and offer help just because someone asks. They’ve got their entire community behind them.

If you look at legitimate industry forums, on the other hand, someone might post, “I’ve got a problem with someone attacking my firewall, and they keep doing x, y, and z…any advice?” They’ll also get dozens of responses. But they’re usually some variation of “Yeah, I can help you for $500 an hour” or “Buy my product/service.”

This has to change.

At the annual DEF CON conference in Las Vegas last fall, a cybersecurity project dubbed “Franklin” was announced, with the aim of focusing ethical-hacker expertise to “provide support in ways that are designed specifically for the unique realities of the water sector.” Partnering with the National Rural Water Association (NRWA), the American Water Works Association (AWWA), and other concerned contributors, the project’s pilot program has paired volunteer cybersecurity experts with some under-resourced water utilities in four states to help shore up the security of their systems.

This is a step in the right direction to better defend what is, after all, our most critical resource. And I hope that it sparks more active and open security collaboration within the water utilities community as well. We’ve got to do a better job of simply sharing whatever knowledge we have — talking to each other, telling each other what we’re seeing and doing, freely offering to help just because someone asks. There is nothing to stop us from tapping the same kind of community-driven strength that attackers exploit so well.

— Peter Fletcher, vice president and information security officer for H2O America, is a cybersecurity leader with 30+ years of experience building and managing security programs across critical industries, driving initiatives in C2M2 and CIS CSC frameworks, data protection, PCI DSS security, and cloud security.