Water Sector Faces Cyberthreats; Lack of Funding Can’t be an Obstacle to Preventative Measures

By Rex Johnson

The Wall Street Journal recently published an alarming article that noted the severe lack of federal funding for improving cybersecurity measures and infrastructure for U.S. water facilities. While water facilities don’t immediately come to mind when considering potential cyberattack targets, that very lack of visibility makes them even more vulnerable. It’s not difficult to imagine the grave harm to Americans if a water facility’s security is compromised: contamination or supply shortages come to mind.

Cyber-attacks have increased a staggering 300% since the onset of COVID-19. And since just 2019 there have been a recorded five attacks on water facilities. The threat is real; but what are we doing about it?

The Environmental Protection Agency (EPA) is responsible for overseeing all 52,000 drinking-water and 16,000 wastewater systems across the United States. As of November 2021, the EPA has not standardized cybersecurity requirements for these water facilities. Many must conduct their own risk assessments and incidence response plans.

Cybersecurity is not a “nice-to-have.” It’s a vital part of every organization.

Even though constrained budgets might prevent U.S. water facilities from making sizeable investments, there are cost-effective options available for improving cyber defense.

Analyze your cybersecurity situation with these 5 questions

  1. What is your biggest security concern as it relates to your environment?
  2. When was your last security assessment; and what did it include?
    • A strong, updated security assessment should be performed annually and include the following aspects:
      • Policy Review
      • Network Penetration Testing
      • Asset Review and Classification
      • Access Control
      • Incident Response
  3. Do you have a current incident response (IR) plan?
    • Typically, IR plans are updated every 18 to 24 months and, with the ever-changing cyber threat landscape, should be reviewed more frequently. An IR tabletop exercise is recommended at least once annually to validate the effectiveness of the plan.
  4. How realistic is your IR plan to address the risks and mitigate the impacts of a cyber-attack?
    • Here are some aspects to consider when realistically addressing your IR plan:
      • Labor resources: Do you have enough staff on hand to jump onto an identified threat?
      • Cost resources: If the cyberattack damages operations more than expected, do you have the right teams in place? If not, how much will additional contracting cost?
      • Streamlined procedures: Do you have to engage with multiple vendors/contractors? How much operational damage is being done while coordinating?
  5. On a scale of 1—10, how confident are you in the ability to demonstrate security compliance (1 – low; 10 – high)?
    • If you answered anywhere below 10, you should strongly consider assessing your IT environment and creating steps to improve your cybersecurity posture.
    • CAI can help you by performing an initial assessment of your IT environment and making suggestions to help you raise your cybersecurity confidence.

How to jumpstart your cyber posture

CAI understands the challenges and threats faced by America’s local infrastructure departments. We are determined to provide cost-effective cybersecurity services without sacrificing service quality and operational performance. To provide an end-to-end, flexible cybersecurity suite, CAI has teamed up with proven, experienced partners enabling us to deliver maximum value to our clients. Additionally, clients can expect cyber threats to be detected faster and incidence response to rapidly deploy to stop cyber threats before they have a significant operational impact. 

Our cybersecurity service starts with an initial assessment of your IT environment and, based on the findings, we prescribe only the services you need and advise you on the next steps towards protecting your department and constituents. To start your assessment, please complete the contact form, and our cybersecurity experts will reach out to you shortly.

Water Sector Short on Funds, High on Threats

Download PDF

About the Author...

Rex Johnson profile image

Rex Johnson is the CAI Cybersecurity Director & Practice Leader. He is a retired Lieutenant Colonel from the US Army and has over 30 years of senior-level experience holding CISSP, CISA, CIPT, PMP, and PCIP certifications.

Fill out the form below to get a customized cybersecurity assessment according to your organization’s requirements.

Related Resources

service desk team answering questions over the phone in front of computers
Virtual Event

Cybersecurity 2022: New Talent, Proven Procedures | LinkedIn Live Event

Cyber-attacks on businesses and government agencies are increasing at an alarming rate. With constraining budgets and aging legacy systems, many businesses and government agencies are ill-equipped to handle this responsibility alone. Join this 30-minute session to learn how taking the first, critical steps towards improving your cyber posture starts with finding the right talent and implementing proven procedures.

Register on LinkedIn
digital background with words "hacker attempt failed" highlighted

How Local Governments Can Get Ahead of Their Threat Opponents

Since COVID's onset, there's been a 300%* increase in cyberattacks (Cobalt). With organizations moving to remote work environments and new technologies, security vulnerabilities and gaps are surfacing due to outdated strategies. This month, the government and its industry partners evaluate cybersecurity measures ensuring data is protected and secure for all Americans. Read the Center for Digital Government's interview with CAI's Rex Johnson, to understand how to implement a strong cybersecurity strategy for the future.

Read the article
woman, sitting at desk, is in shock after she has accidentally opened a malicious email

Distracted by Phishing: 5 Steps Employees Can Take to Reduce Cyber Risk

According to global cyber education company Cybrint, 95% of cybersecurity breaches occur due to human error. Even with security awareness training becoming more commonplace, mistakes still happen. In this article, CAI's Rex Johnson provides tips to help encourage more security-minded habits across the workplace – from the C-suite on down.

Read the article