Regardless of political orientation, United States citizens rely on our government to protect us from threats, whether that’s a bombing, a land invasion, or cyber attacks on our critical infrastructure. Unfortunately, while the former are easy to recognize and comprehend as a threat, the latter is far more difficult for most of us to grasp and address. To change that, people, from individual citizens to local governments and up, need to understand cyber basics to improve overall security in our communities.
Assumed infrastructure protection
While all citizens rely on critical infrastructure to go about their daily lives, far too few of us have an understanding of what’s needed to protect that infrastructure from malicious attacks. That lack of knowledge impacts voting on local issues, including budgeting for better cyber solutions and training for IT staff, consultants, and water and electrical experts.
The challenge is that local governments have specific ways they fund the resources required for their communities, including water and waste management. It’s very expensive to make and clean water, and that process is largely funded by the water and sewer fees residents pay — there’s not much room in those budgets to add the cybersecurity protections we need. The cost to protect this necessary infrastructure, however, is an important part of budget discussions, because the cost of not protecting it goes beyond financial impacts and into the health and safety of our communities.
A complex system of small operators
As citizens, we need to be asking different questions about how we can protect ourselves and our communities from malicious actors. Most towns and cities rely on small operators who have expertise in plumbing, chemistry, water systems and wastewater and drainage systems, but not in information technology, firewalls, and cyber attackers. Usually, towns and cities rely on domain experts to ensure the water systems work and internal IT staff or third-party consulting companies to manage network infrastructure and access.
Unfortunately, these two groups rarely understand that a water plant must have its own firewall as well as network segmentation between the city firewall and its industrial control system (ICS). Malicious actors are aware of these gaps in cyber knowledge and protection; indeed, the Federal Bureau of Investigation (FBI) has been warning national security and intelligence experts for years that U.S. critical infrastructure is a prime target.
Individual people can make a difference
It is a serious threat, and it can feel insurmountable (if you’re aware of it), but you can make a difference as a voter and someone who asks good questions, whether that’s at a town meeting, a select board or town council meeting, talking to the mayor or local legislators, federal representatives, or even the President of the United States. Perhaps more importantly, asking the press these questions to ensure that they, too, understand what questions to ask and why, because the responses they publish will be widely disseminated via social media and news outlets.
Here are a few key questions you should ask and why you need to be asking them:
Ask your government (local, city, or state) about the impact of a reported cyber incident, including whether any utilities were impacted. And if so, how?
Typically, administrators provide answers only to the specific questions asked about an incident, perhaps because sharing that a water system was impacted could create panic. The reality is that there have been a lot of intrusions and cyber incidents in local governments, and not sharing that information does not protect us from potential repercussions. If we normalize asking these questions and getting honest answers, we will be more likely to vote for the cyber protections we need because we actually understand that there is a problem and what it is.
What guidelines is the local water authority following when it comes to water safety, and does it address cyber protection and education?
Many of us may assume that the Environmental Protection Agency (EPA) regulates water safety and cyber protection of these essential systems. Last October, however, the EPA withdrew cybersecurity rules for the water sector due to lawsuits from states and water associations. While the agency offered guidance and technical knowledge, it did not include financial assistance for rolling out these rules, part of the reason for the backlash.
In May, the EPA issued an enforcement alert that outlined the threats and vulnerabilities to community drinking water systems, as well as the steps required to comply with the Safe Drinking Water Act. Together with the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), the EPA is recommending action to secure our water systems. Understanding these initiatives and why they are important can help you hold your local water authority accountable to those requirements and vote to support them financially as appropriate.
Does your city council or city government have an understanding of cyber issues and how an incident could negatively impact the community, both financially and from a health and safety perspective?
Many local governments are run by city council members, county commissioners, and township trustees, some of whom are volunteers while others are paid by government agencies. Few of these people have a good understanding of cyber threats. Other volunteers may have full-time jobs, and little additional time to research cyber issues and how to effectively manage them. All of them are juggling a wide variety of issues, budgetary constraints, and how to meet constituent needs. By asking them questions about cybersecurity and how your local government is addressing vulnerable systems, you can make it clear why it’s important for them to educate themselves about these issues and address the risks to the community.
How can you ensure that the budget allows for an appropriate response to an incident impacting critical infrastructure?
In most communities, only a few people show up to town meetings or talk to local and federal legislators. By educating yourselves and asking good questions in these forums, though, you can help build a budget that accounts for the costs of protecting water and wastewater systems from cyber attacks, as well as outlining the real costs related to a critical infrastructure attack. A few budget-related questions your town or city should consider include:
- Is there budget allocated funding for developing and updating emergency response plans for critical infrastructure incidents?
- Are there plans in place for coordination and communication between the fire department, police, public works, and public health?
- Do your water and wastewater experts know what software systems they are using and stay up to date on vulnerabilities and emergency patches to those systems?
- Do your response plans include resources at the state and federal level to help ensure that your local government has the right support and resources to respond quickly and effectively to a cyber incident?
Ignorance isn’t bliss
It’s easy to think that we’re safe when we can see no imminent threat. The mainstream news shows bombings in Ukraine and Gaza, addresses national politics and international elections, and analyzes the impacts of inflation, but rarely communicates the real danger of cyber threats. The Colonial Pipeline attack briefly brought national attention to the dangers of ransomware and how an attack could impact access to gas for our cars, but that’s unusual. Most of the time, ongoing cyber attacks are covered only on industry websites and forums.
Unfortunately, when it comes to cyber awareness, ignorance will not protect us from bad actors. While there’s no need for every citizen to be a cybersecurity expert, we can make significant improvements in our resilience to attack by becoming more aware of the issues and asking our local governments and utilities informed questions and demanding answers. Together, we can and must improve the security of the critical infrastructure we all depend on.