Navigating Troubled Waters: Cybersecurity Threats to the Water Industry

On October 3, American Water Works Company, a major utility serving over 14 million people, reported a cybersecurity incident on its computer networks. This incident primarily disrupted the company's billing systems with no impact on water or wastewater services, but it brought renewed attention to the vulnerabilities in the nation's critical infrastructure. This incident, coupled with findings from the Government Accountability Office's (GAO) recent report, highlights the urgent need for enhanced cybersecurity measures in the industry.

Addressing Cybersecurity Gaps in the Water Sector: Insights from the GAO Report

The GAO report, “Critical Infrastructure Protection: EPA Urgently Needs a Strategy to Address Cybersecurity Risks to Water and Wastewater Systems,” sheds light on significant cybersecurity challenges within the water sector. It reveals that the Environmental Protection Agency (EPA) has not conducted a comprehensive sector-wide risk assessment, which the report cited as a fundamental step in identifying and prioritizing cybersecurity threats. Furthermore, the report notes that the absence of a risk-informed national strategy hampers effective resource allocation and coordination among stakeholders. The lack of mandatory cybersecurity standards has left many utilities vulnerable to cyber threats.

The report recommends the EPA develop a more strategic approach to cybersecurity, emphasizing the need for a coordinated national response and the establishment of baseline security standards, with specific actions and timelines for implementation. In its response to the GAO report, the Office of Water at EPA indicated water utilities can expect its water sector risk assessment and risk management plan to be published in January 2025.

Rising Nation-State Threats

Adding to this complexity is the growing threat from nation-states, particularly China, which has increasingly targeted U.S. critical infrastructure, including water systems. Chinese state-sponsored groups, such as the notorious Volt Typhoon, have engaged in cyber espionage activities, positioning themselves to disrupt operations during geopolitical tensions. These activities often exploit vulnerabilities in aging infrastructure and insufficiently secured operational technology. Previous incidents have demonstrated how such actors can infiltrate systems to gather intelligence or prepare for potential sabotage. This evolving threat landscape necessitates heightened vigilance and improved cybersecurity measures across the industry.

Key Regulatory Considerations & Reporting Requirements

For many water utilities, the regulatory landscape is being shaped by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which introduces new reporting requirements for critical infrastructure entities. Under CIRCIA, covered entities must report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovery and ransom payments within 24 hours of payment. This mandate aims to enhance national cybersecurity by facilitating timely information sharing and coordinated responses. CIRCIA includes confidentiality provisions to protect information shared with CISA, encouraging entities to report incidents without fear of regulatory, financial or legal repercussions. The new reporting requirements from CIRCIA will take effect in 2026, and companies can prepare for compliance by establishing internal reporting protocols and designating a compliance officer to oversee these processes.

For public utilities, the Securities and Exchange Commission (SEC) cyber rule also applies. For these entities, materiality is the key consideration. Following its recent cybersecurity incident, American Water filed an Item 8.01 on its Form 8-K with the SEC. This filing, categorized under "Other Events," indicates that while the incident was significant, it was not deemed to have a material effect on the company's financial condition or operations. By choosing Item 8.01 instead of Item 1.05, which pertains to "Material Cybersecurity Incidents," American Water signaled that the incident did not materially affect its operations or financial results. This distinction is crucial for utilities navigating disclosure obligations, as it balances the need for transparency with the avoidance of unnecessary alarm.

How Critical Infrastructure Companies Can Mitigate Cyber Risk

To navigate these challenges, critical infrastructure companies should adopt several best practices. First, implementing a comprehensive cybersecurity framework, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, can help effectively manage cyber risks.

Investing in cybersecurity training and fostering a culture of security awareness can significantly enhance an organization's resilience. Additionally, leveraging emerging technologies like artificial intelligence for threat detection and response can provide a competitive edge. Conducting incident response simulations and tabletop exercises will also prepare management and staff for real-world scenarios.

Collaboration with industry groups, Information Sharing and Analysis Centers (ISAC) like WaterISAC, and government agencies including CISA, the EPA, and the Critical Infrastructure Partnership Advisory Council (CIPAC), can provide critical insights and resources. In this complex environment, the guidance of an experienced cybersecurity attorney is invaluable. Legal counsel can help to develop robust incident response plans, ensure compliance with regulatory requirements like CIRCIA and the SEC cyber rule, and advise on best practices for cybersecurity governance. They can also provide critical support in managing data breach notifications and navigating international cybersecurity laws. By leveraging legal expertise, critical infrastructure entities can better protect their operations and contribute to the overall resilience of the nation's critical infrastructure.

Buchanan's cybersecurity and data privacy team is equipped to assist in navigating the complex landscape of cyber threats. From developing incident response plans to ensuring compliance with regulatory requirements, we help utilities and other critical infrastructure entities safeguard essential services and maintain public trust in their operations.