Duncan, Okla. – NRWA and the Mission Critical Global Alliance (MCGA) signed a memorandum of understanding on March 9, 2021, affirming a commitment to cybersecurity education for the water sector.
“Last month’s unlawful intrusion into the City of Oldsmar's water treatment system was the latest example of the vulnerability of our nation’s small and rural utilities to cyber-attacks,” said Matt Holmes, NRWA CEO. “The City’s operator should be commended for taking immediate action to prevent catastrophic consequences. NRWA takes cybersecurity very seriously, and is committed to raising the bar for awareness, education and support for water professionals.”
MCGA and NRWA are developing a plan for a comprehensive continuous cyber education program that will help all small and rural water and wastewater systems better manage their cybersecurity risk, by:
There are more than 145,000 active public water systems in the United States (including territories). Of these, 97% are considered small systems under the Safe Drinking Water Act, meaning they serve 10,000 or fewer people. Systems of the size of City of Oldsmar (15,000 population) have limited resources to manage the threat to their operations.
In the field of cybersecurity, guidance is often too complex or difficult to act. Experts provide lists of 20 or more points that need to be investigated, and many of these require specialist skills. Specialist service providers are often driven by their own business interests, focusing their services on technology at the expense of people and process. NRWA and MCGA will focus on simple guidance and practical steps that will help all members better manage their cybersecurity risk.
It is impossible to completely remove all cybersecurity risk. However, rural water and wastewater systems can take actions that will reduce the likelihood of an incident, or the consequences of that incident. Some of these actions can be taken immediately by water utilities, such as removing insecure remote access, performing a risk assessment, raising awareness, securing user accounts, and implementing policy for former employees.
“Today’s announcement is just the beginning of a sustained effort to tackle the issue of cybersecurity in America’s critical water infrastructure sector,” Holmes said. “For too long, we have witnessed underinvestment by the Federal Government to support small and rural communities respond to cyber threats.”
MCGA and NRWA considers these actions essential for all rural systems. Undertaking these actions does not remove all cybersecurity risk, but it does reduce the risk considerably. There are many more actions that should be taken, and the cybersecurity risk continually changes.