The U.S. Congressional Subcommittee on Cybersecurity and Infrastructure Protection is addressing concerns about cybersecurity in the water and wastewater sector, focusing on potential disruptions and safety risks. Yesterday the Subcommittee held a hearing entitled, “Securing Operational Technology: A Deep Dive into the Water Sector”, to delve into the vulnerabilities in the water sector and the essential steps needed to improve the security of operational technology (OT) within the water sector.
The hearing had the participation of Robert M. Lee, CEO and Co-founder at Dragos; Charles Clancy, Senior Vice President and General Manager at MITRE Labs and Chief Technology Officer at MITRE; Kevin Morley, Manager for Federal Relations at the American Water Works Association (AWWA); and Marty Edwards, Deputy Chief Technology Officer for Operational Technology and Internet of Things at Tenable, as witnesses.
In his written testimony, Lee emphasized the fundamental differences between operational technology (OT) and information technology (IT) in critical infrastructure, the risks brought by the same digitalization, connectivity and uniformity in OT that has led to enhanced efficiency and reliability, and the need for the public and private sector to continue to work together to protect water systems. “To adequately defend water systems and other infrastructure against threats and adversaries, the community must invest in and prioritize the cybersecurity of OT and ICS networks using security controls that have demonstrated success against actual threats,” he said.
Clancy noted the need of more collaboration and information sharing, but more is needed. “The scale of the threat requires critical infrastructure operators to prepare and respond more like they would to a major natural disaster. They need to establish procedures to sever their control systems from the internet, and practice disconnected operations”, he said.
Cyber security is a major issue for the water sector following recent cyber attacks affecting water and wastewater facilities, which the U.S. has responded to with sanctions to Iranian actors by the U.S. Department of the Treasury.