Microsoft and the Cyberspace Solarium Commission 2.0 (CSC) have released a report addressing the growing threat to water and wastewater infrastructure cybersecurity.
Recent cyberattacks on water utilities in Pennsylvania and Texas highlight the vulnerability of this critical sector. The report summarizes best practices and recommendations for policymakers, regulators, and the water and wastewater sector itself to improve cybersecurity. The report was informed by a series of roundtable discussions with leading policy, technology, and water experts – including WaterISAC’s, Jennifer Lyn Walker during Roundtable #4, Building Cyber Resilience on April 4, 2023. During the most recent roundtable discussion yesterday (December 13, 2023), experts noted that responding to these threats requires a collaborative and multi-faceted approach involving government agencies, industry partners, technology providers, and water system owners and operators.
WaterISAC – serving as a dedicated channel for information sharing and analysis within the water sector – is highlighted throughout this report as a crucial avenue for utility owners and operators to enhance their cybersecurity posture. The recent attacks and the report also underscore the importance of organizations actively participating in WaterISAC's information sharing forums. WaterISAC provides regular reporting on risks, threats, and preparedness in the sector, offering valuable insights and awareness to all participants. It is open to water and waste water sector organizations of all sizes, with reduced fees for smaller systems. While some information WaterISAC provides is publicly available, the curated content in the member newsletter (the Security & Resilience Update) provides convenience and additional value.
Finally, to further help small- and medium-sized water utilities strengthen cyber defenses, Microsoft, the Cyber Readiness Institute (CRI), and the Foundation for Defense of Democracies (FDD) launched a cybersecurity pilot program earlier this year to provide tailored cyber readiness coaching to water and wastewater utilities and training for their employees. Registration is still open for eligible utilities that would like to participate. The data and lessons from the pilot program will further inform critical infrastructure cybersecurity policy and the development of similar efforts in the sector. WaterISAC members can learn more by listening to the archived presentation from CRI during WaterISAC’s August 23, 2023 Cyber Threat Briefing. Likewise, WaterISAC's H2OSecCon 2023 attendees heard from CRI about this program during the cybersecurity track session titled, “What if the Next Shiny Thing Was Free.”