Skip to content

Cybersecurity initiative will impact water utilities

Following reports of cyber attacks targeting the federal government and major news outlets, President Obama declared in his 2013 State of the Union address that such attacks on the nation’s critical infrastructure are rapidly growing and present “real threats to our security and our economy” and announced that his administration will spearhead new defensive efforts through an Executive Order titled “Improving Critical Infrastructure Cybersecurity” (the “EO”).

With an upward trend in cyber incidents across critical infrastructure sectors, both government-owned and private sector utilities are well advised to closely examine their existing approach.  Specifically, reported cyber attacks on utility sector control systems rose more than 50 percent in 2012, with the energy and water sectors representing the greatest number of reported attacks among industrial control system networks.

The Executive Order

Through the February 12, 2013 EO, the President called on the executive branch to better communicate potential cyber threats to the private sector through increased information sharing and to develop a flexible framework for identifying and reducing the risk of cyber attacks on critical U.S. infrastructure.  The Department of Homeland Security (“DHS”) and the Department of Commerce’s National Institute of Standards and Technology (“NIST”) will take the lead in developing the initiative, but extensive coordination with other government agencies and the private sector is required. Although voluntary, industry involvement is considered to be a crucial component of the cybersecurity framework development. Participation by utilities will be particularly important due to the unique threats they face, including not only the threats and liabilities associated with thefts of customer data but also an ever-expanding list of potential vulnerabilities in supervisory control and data acquisition (“SCADA”) system legacy hardware and software.

Cybersecurity information sharing

The EO directs the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence to take coordinated action to ensure the rapid dissemination of reports on cyber threats to U.S. private sector entities, to include both unclassified and classified information.  Commercial critical infrastructure sectors (e.g., water, wastewater, transportation, power and other utilities) will be invited to join the Defense Industrial Base Enhanced Cybersecurity Services program, an existing voluntary information sharing program providing classified cyber threat and technical information to companies and service providers serving the military-industrial sector.

Identification of high priority critical infrastructure

Under the EO, “critical infrastructure” is defined to include those systems and assets, whether physical or virtual, the incapacity or destruction of which would have a debilitating impact on security, national economic security, and/or national public health or safety. However, certain high risk infrastructure will receive special consideration. Where a cybersecurity incident to critical infrastructure could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security, the owners and operators of that infrastructure will be confidentially notified of that determination. Security clearance processing for these entities will be prioritized and they will receive particular attention in the development and implementation of the cybersecurity framework, discussed below. Water utilities traditionally are included within the realm of critical infrastructure and may fall into the “high risk” category.

Cybersecurity framework

Perhaps most significantly, NIST is ordered to develop a framework to reduce cyber risks to critical infrastructure (the “Cybersecurity Framework”), to include the establishment of performance goals in the face of hypothetical threats and crafting sector-specific baseline standards, methodologies, procedures and processes necessary to meet those goals. For utilities, an effective framework will need to do more than focus on SCADA software vulnerabilities, and should include thoughtful consideration of potential threats from both internal and external exploits of software, operating systems, legacy hardware and other physical assets unique to each utility.

The framework must incorporate voluntary consensus standards and industry best practices to the fullest extent possible and DHS is required to engage a broad coalition of interests, including critical infrastructure owners and operators and the sector-specific government agencies that already have been coordinating with their assigned sectors on various security issues. A significant portion of the Cybersecurity Framework development is expected to be achieved at the sector-specific agency level.  For the water industry, that agency is the U.S. Environmental Protection Agency.

Water companies regulated by the Pennsylvania Public Utility Commission already must have a written plan addressing cybersecurity under Title 52, Chapter 101 of the Pennsylvania Code.  As the national program takes shape, unregulated municipalities and authorities, while not currently required to have a plan, should expect to face increased pressure to adopt basic measures, including a written plan, to ensure against cyber incidents.

Next steps

The EO’s highly ambitious timeframe for implementation requires several agencies to take action within the next three to five months to assess current cybersecurity programs and the scope of their relative implementation authority and to begin to open the channels of communication on cyber threats.  In only 240 days, DHS is required to publish a preliminary version of the Cybersecurity Framework, to be finalized within a year.  NIST published a Request For Information in the February 26, 2013 issue of the Federal Register soliciting input from stakeholders and the public and has started to develop workshops to be held in April.

As noted above, each utility employs a unique combination of physical assets, SCADA and other hardware and software culminating in a set of strengths and vulnerabilities that is specific to that utility. Those with a presence across multiple jurisdictions will want to ensure that standards under the framework allow for company-wide adoption and are consistent with the requirements of multiple regulators (including those of state public utility commissions with existing cybersecurity program mandates, as in Pennsylvania). Thus, individual utilities should at a minimum monitor the process and participate where necessary to ensure the framework, which may inform later regulatory or legislative efforts, adequately accounts for their needs and allows for the development of effective cybersecurity strategies for their unique systems. Moreover, participating at an early stage in the development of the draft Cybersecurity Framework may help utilities ensure awareness of best practices that in turn can combat susceptibility to cyber attacks, reduce potential civil or regulatory liability, and increase insurability.

  • PA-AWWA Recognizes Our Gold Sponsors

    Partnership for Safe Water


  • Public Notification Providers

Find us on Facebook
Back to Top