A recent bill that proposes $7.5 million in annual cybersecurity funding for the next five years for US rural water systems may have a bigger impact for covered entities than the dollar amount alone would suggest. It would be a much-needed infusion of cash for a critical infrastructure sector that plays a big role in public safety despite its smaller customer base.
The funding adds to $25 million available annually as technical assistance for rural water systems and small water utilities under a US Department of Agriculture (USDA) initiative called the Circuit Rider Program. But this bill targets a narrowly focused set of small organizations that currently have little to non-existent cybersecurity capabilities.
Mike Hamilton, former CISO of the City of Seattle and current CISO of Critical Insight, says the investment is vitally important given that these systems make attractive targets for attackers.
“Disruption of water and wastewater [systems] can lead to public health emergencies very quickly,” he notes “Given that global geopolitics are incentivizing activists and volunteers to perform disruptive acts, water and waste may be in their sights to drive dissatisfaction with the US government’s ability to maintain critical services.”
Rural Water Systems: A Critical Cyberattack Target
There are more serious concerns as well. By targeting critical operating systems at small water facilities, an attacker could “drain tanks, change levels of chemicals, inject bad telemetry information into well and tank monitoring, and potentially impact waste treatment operations,” Hamilton says.
It’s also important to remember that softer targets take fewer resources to attack, cautions Chris Warner, senior operational technology security consultant at GuidePoint Security. Such targets are often used to divert attention from more significant and larger targets, he notes.
Shutting off water is just one potential outcome of an attack on a rural or small water system, Warner adds: “What concerns me is [attackers] changing the amount of chemicals used to clean and or balance the water quality. This could cause mass sickness and even possible death.”
The good news is, so far, there have been few publicly reported attacks on small and rural water systems of major significance, Hamilton and others say. However, that doesn’t mean small and rural water entities can’t become victims of opportunistic attacks — including ransomware.
“Key factors include how much exposure their critical systems have to enterprise and Internet facing users that are exploited by threat actors,” explains Ron Fabela, CTO of critical infrastructure at Xona Systems. So, “while … there’s no tangible data showing a rise in threat actor interest in rural water systems specifically,” Fabela says, the overall increase in awareness, legislation, and industry focus — and this latest investment — are key in making sure the situation stays that way.
A Narrow but Significant Cyber Investment in Water Safety
“While $7.5 million may seem like a drop in the bucket from a funding stance, the USDA Rider program is focused on those water entities [that] serve a population of 10,000 or less,” says Fabela. “Any financial assistance for these very small water utilities goes a long way.”
Reps. Don Davis (D-N.C.) and Zachary Nunn (R-Iowa) along with Reps. Angie Craig (D-Minn.) and Abigail Spanberger (D-Va.) introduced the Cybersecurity for Rural Water Systems Act of 2023 earlier this month. The bill seeks to expand the National Rural Water and Wastewater Circuit Rider program by including $7.5 million annually between 2024 and 2028 for cybersecurity technical assistance for small and rural water utilities.
Under the proposed program, cybersecurity experts — or circuit riders — will travel to rural water facilities and assist them in building plans for securing their systems against cyberattacks. The cybersecurity riders will become part of a broader team of circuit riders that have been providing as-needed, hands-on training and other technical assistance to small and rural water systems for decades.
According to the National Rural Water Association, which collaborated with the USDA in setting up the program, circuit riders have provided technical assistance more than 700,000 times to small and rural water systems since 2009. The assistance has included helping small water utilities to respond rapidly to natural and man-made emergencies; to improve water treatment processes; enhance regulatory compliance; and improve financial sustainability.
In a statement announcing the bill, Rep. Davis described the proposal as critical to bolstering cyber defense in agricultural communities and rural water systems that are critical to overall national security. “We must ensure our water systems rural communities and farmers rely on have the necessary protections to successfully guard against cyberattacks,” he said.
Expanding the circuit rider program to include cybersecurity should begin to help smaller, rural water systems start their security journey, says GuidePoint’s Warner. Many of these entities lack the security personnel, expertise, and funding required to operate systems for securing their water and wastewater equipment, he says.
“From several of the water and wastewater organizations I’ve helped out in the past, this will greatly assist organizations to create security departments that may not exist or that are treated as ‘other duties assigned,'” he says. The funding could also help them build out governance and risk management programs, Warner notes.
Rural Water Cybersecurity Funds Provide Much Needed Relief
Hamilton, who was previously also vice-chair of the DHS State, Local, Tribal, and Territorial Government Coordinating Council, says it’s important to consider the size of the target audience when evaluating how effective or not the proposed new funding will be. The $7.5 million in cybersecurity funding that the bill proposes is targeted at small utilities that are typically not in scope for state and local cybersecurity grant programs. “Because of that tight scoping, this amount may be significant,” he notes.
“Private sector water systems that are in rural areas can use the funds to conduct the assessments that are required by the EPA,” as part of new drinking water requirements for states and public water systems, he adds. The fund could aid these entities in finding and closing security gaps in their systems.
Data on the exact number of rural water systems in the US is challenging to come by, partly because of how these systems are classified. According to the Environmental Protection Agency (EPA), 97% of 153,000 public drinking water systems in the US (as of February 2020) serve populations of 10,000 or fewer. Another report, by the American Bar Association following the water crisis in Flint, Mich., pegged the number of community water systems in the US at 60,000, with 93% serving populations fewer than 10,000, and a total of 67% serving fewer than 500 people.