DUNCAN, OK -- NRWA and the Mission Critical Global Alliance (MCGA) signed a memorandum of understanding on March 9, 2021, affirming a commitment to cybersecurity education for the water sector.
“Last month’s unlawful intrusion into the City of Oldsmar's water treatment system was the latest example of the vulnerability of our nation’s small and rural utilities to cyber-attacks,” said Matt Holmes, NRWA CEO. “The City’s operator should be commended for taking immediate action to prevent catastrophic consequences. NRWA takes cybersecurity very seriously, and is committed to raising the bar for awareness, education and support for water professionals.”
MCGA and NRWA are developing a plan for a comprehensive continuous cyber education program that will help all small and rural water and wastewater systems better manage their cybersecurity risk, by:
- Creating a multi-stage training program that targets guidance based on risk along with the technical ability and capacity of systems.
- Focusing on training Circuit Riders, the key NRWA field experts who are best placed to sustain the ongoing effort needed to manage the cybersecurity risk.
- Integrating with other initiatives around water sector cybersecurity to ensure that time, effort, and funds are used to best effect.
"MCGA is excited to be partnering with the NRWA in developing a comprehensive cyber and physical security training program for their members. The Oldsmar hack won't be the last attempt to disrupt a water or wastewater system and as that situation has demonstrated having an educated workforce is a vital part of the defense in mitigating risk against critical infrastructure," said Brian Kainrath, MCGA President.
There are more than 145,000 active public water systems in the United States (including territories). Of these, 97% are considered small systems under the Safe Drinking Water Act, meaning they serve 10,000 or fewer people. Systems of the size of City of Oldsmar (15,000 population) have limited resources to manage the threat to their operations.
In the field of cybersecurity, guidance is often too complex or difficult to act. Experts provide lists of 20 or more points that need to be investigated, and many of these require specialist skills. Specialist service providers are often driven by their own business interests, focusing their services on technology at the expense of people and process. NRWA and MCGA will focus on simple guidance and practical steps that will help all members better manage their cybersecurity risk.
It is impossible to completely remove all cybersecurity risk. However, rural water and wastewater systems can take actions that will reduce the likelihood of an incident, or the consequences of that incident. Some of these actions can be taken immediately by water utilities, such as removing insecure remote access, performing a risk assessment, raising awareness, securing user accounts, and implementing policy for former employees.
“Today’s announcement is just the beginning of a sustained effort to tackle the issue of cybersecurity in America’s critical water infrastructure sector,” Holmes said. “For too long, we have witnessed underinvestment by the Federal Government to support small and rural communities respond to cyber threats.”
MCGA and NRWA considers these actions essential for all rural systems. Undertaking these actions does not remove all cybersecurity risk, but it does reduce the risk considerably. There are many more actions that should be taken, and the cybersecurity risk continually changes.