How One State Defends Its Drinking Water from Cyber Attacks
New Hampshire has turned to security assessments plus a set of “Drinking Water Cybersecurity in a Box” turnkey solutions to reach a good baseline defense for its water systems.
Federal agencies recently sent governors a letter urging them to defend their water and wastewater systems against disabling cyber attacks, noting that many water systems lack even basic precautions.
New Hampshire is one state that’s taken up the call. New Hampshire’s state IT is partnering with the state Department of Environmental Services and the regional Cybersecurity and Infrastructure Security Agency (CISA) representative to begin assessing cyber maturity at community drinking water systems.
Most drinking water systems in the state serve fewer than 3,000 customers, said CISO Ken Weeks, speaking to Government Technology at the recent National Association of State Chief Information Officers (NASCIO) conference. That means the systems are too small to have been required by the EPA to conduct risk and resiliency assessments or maintain emergency response plans.
Weeks said they've assessed more than 150 community drinking water systems across the state, and one of their takeaways was "this security is bad, even for a water system."
The next step for New Hampshire was to provide the tools and training to get these utilities up to speed. To do so, the state has provided funding to Overwatch Foundation, a not-for-profit, to bring water systems a turnkey solution. Dubbed “Drinking Water Cybersecurity in a Box,” the solution provides cybersecurity assessments where needed, as well as training for water system staff, new equipment and software with several years of support.
Many water systems lack segmentation between the Supervisory Control and Data Acquisition (SCADA) control boxes and employees’ personal devices, which can be risky. The turnkey solution instead provides new iPads for professional use, as well as other items if the water systems need them, like firewalls, routers and updated SCADA control boxes that enable patching, Weeks said.
The Overwatch Foundation offers support services to each organization for up to three years, although the water systems can opt out sooner, it says. But after three years, organizations are expected to be ready to maintain things on their own.
The initiative aims to get every water system to the same base level of security, regardless of where they’re starting from, Weeks said.