Safe and reliable drinking water and dependable wastewater systems are essential to daily life. However, their criticality also makes them prominent targets for profit-seeking cyber criminals and geopolitical actors exploiting a new domain of conflict. In recent weeks, we have witnessed attacks on water utilities in Pennsylvania and Texas. These attacks underscore how more needs to be done to improve the cybersecurity and resiliency of this critical sector. Given the complexity of the sector, the water industry cannot do this alone – technology companies, regulators, and policymakers must play their part in securing the landscape.
Today, Microsoft and the Cyberspace Solarium Commission 2.0 (CSC) are launching a new report: Multistakeholder Insights to Advance Water and Wastewater Infrastructure Cybersecurity. The report summarizes best practices and recommendations for policymakers, regulators, and for the water sector itself to improve cybersecurity based on a series of roundtables with leading policy, technology, and water experts. To further help small- and medium-sized water utilities strengthen their cybersecurity defenses, Microsoft, the Cyber Readiness Institute (CRI), and the Foundation for Defense of Democracies (FDD) have also launched a cybersecurity pilot program to provide tailored cyber readiness coaching to water utilities and training for their employees. Registration is still open to eligible utilities that would like to participate. The data and lessons from the pilot program will further help to inform critical infrastructure cybersecurity policy and the development of similar efforts in the sector.
Amid escalating threats, including from advanced nation-state actors online, we hope these efforts help provide necessary guidance and resources for this vital sector.
A multistakeholder challenge
Unique among critical infrastructure sectors, water and wastewater infrastructure in the United States is comprised of more than 100,000 public and private utilities of varying sizes and capacities. As a result, there are vast disparities when it comes to cyber readiness, especially for smaller utilities that have fewer resources. This leaves the sector especially vulnerable to cyberattacks. Regardless of the size of the utility, cyberattacks that disrupt water services can have a damaging and cascading impact on things like access to safe and reliable drinking water and sewage management, as well as on other critical infrastructure sectors that rely on uninterrupted access to water in their operations, like hospitals and the energy sector. As outlined in the Paris Call for Trust and Security in Cyberspace, protecting these critical resources from cyberattacks are essential, and not something any one sector can do on its own.
Improving cyber maturity and resilience across the water sector will depend on multistakeholder cooperation across industry, civil society, and at every level of government. The report we are releasing today, and its core findings are the product of the participation of numerous U.S. agencies in the roundtable series – including the Environmental Protection Agency (EPA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), Office of the National Cyber Director (ONCD), and National Institute of Standards and Technology (NIST) – as well as representatives from Congress and the water and technology sectors. The report breaks down its key recommendations by stakeholder group, with specific guidance for legislatures (state and federal), agencies, regulators, and sector operators, in order to drive comprehensive understanding of what is needed for reform.
Protecting critical infrastructure from threats
As outlined in our recently announced Secure Future Initiative, industry needs to do more in the face of rising threats online. To this end, Microsoft is innovating in regards to its engineering practices and default settings, as well as leveraging the benefits of AI to improve the security of products and services across our platforms. However, this must be coupled with a more robust application of international norms as well to limit, in particular, state-sponsored cyberattacks that target infrastructure that is essential for daily life.
Critical infrastructure for civilians, like water and wastewater systems, is never an acceptable target and attacks targeting these systems cannot be consistent with responsible state behavior online. Whether in times of peace or armed conflict, international law and specific international norms established by the United Nations for cyberspace make this unambiguously clear. We all should denounce efforts by nation-state actors to target such infrastructure as violations of those commitments. To strengthen these obligations, we encourage governments to further commit publicly that they will not undermine the networks of critical infrastructure sectors such as energy, water, food, and medical care. They should also commit that they will not permit any persons or entities within their territory or jurisdiction to engage in cybercriminal operations that target critical infrastructure.