With few employees and little federal compliance training, some small-town water utilities may be unable to defend themselves from cyberattacks.
Water utilities in some small and rural communities may be vulnerable to cybersecurity attacks because they are understaffed and haven’t been trained on compliance with federal regulations, state and local infrastructure advocates told a Senate panel.
"People don't see what's going on in our small towns," said Sophia Oberton, special projects coordinator for the Delmar Public Works Department in Maryland. "In small areas, you don't have enough employees to cover some of the day-to-day things that need to get done.… You need to come down off that chair and come see what's really going on in our areas, and sit down and have conversations and know what the specific needs are. Because each utility is different. Each utility is not the same."
During a July 21 Senate Environment and Public Works Committee hearing, Oberton urged lawmakers to provide additional funding toward technical training and assistance programs like the Rural Water Circuit Rider Program.
The initiative was launched in 1980 with the goal of providing hands-on federal training and technical assistance to water utility managers and other specialists on a range of issues, including compliance with federal regulations and all other aspects of water utility management. Oberton said the program, though currently underutilized among smaller communities and utilities susceptible to cyberattacks, can provide critical cybersecurity training and technical assistance for those areas and local specialists.
A majority of water utilities, however, have not even fully assessed their own IT assets, according to a June survey from the Water Information Sharing and Analysis Center (Water-ISAC) that included responses from more than 530 organizations. Dozens of firms responded that they were "not sure" if they had experienced a cyber incident.
Other witnesses also stressed the need for further training and funding to meet the cybersecurity goals featured in President Joe Biden's cybersecurity executive order released in May, which outlined aggressive deadlines for all agencies and stakeholders to begin improving their cyber posture.
Shailen Bhatt, president and CEO of the Intelligent Transportation Society of America, said some water utilities, other private contractors and federal agencies have been successful in responding to cyberattacks after taking implementing the National Institute of Standards and Technology's Cybersecurity Framework.
"The playbook that I would recommend is the NIST framework for all of the stakeholders," he said. "Their framework for cybersecurity talks about identifying the threats to your system, protecting against those vulnerabilities, detecting attacks on your system, responding to them and then recovering."
This article was first posted to FCW, a sibling site to GCN.
NEXT STORY: Tabletop exercise tests election security