Following the recent attention given to the water sector’s vulnerability to cyber intrusion, there’s been a lot of talk about what went wrong, whose fault it was and why changes need to be made in the sector.
However, the challenge in addressing the water sector’s cyber security posture isn’t in outlining existing problems, but rather in generating realistic, affordable and timely solutions to mitigate them.
One proposal: A public/public partnership.
It’s not a typo; I meant to say “public/public” as opposed to “public/private.” After all, 85 percent of all drinking water and wastewater systems in the country are publicly owned by municipalities. That’s just one of many reasons why the water sector should garner a higher level of prioritization for federal security resources and partnerships than other “private” industries, even other utilities (that and the fact that nearly all private industries rely on water services as part of their operations).
Initiating a public/public partnership whereby the federal government helps the water sector by providing the resources to assess its overall cyber security posture is a smart and affordable way of empowering the sector to evaluate and ultimately protect itself.
After a thorough evaluation, the sector and DHS could develop training resources for water utilities to shore up their most common cyber vulnerabilities and provide individualized attention to utilities with particular needs.
All of this could be accomplished in a 2-3 year multi-phased approach that would significantly reduce the sector’s vulnerability to cyber attacks and be cost-effective. Not too shabby.
My concern is that we may just keep talking about the problem without actually doing anything about it. At which point we run the risk of having a major incident that impacts public health and could lead to a knee-jerk reaction by Congress to mandate an expensive and over burdensome regulatory program at a cost that could be hundreds of times as much as the public/public partnership described above.