Watch the Water, See the Storm

A Deep Dive into the Water Sector of National Security

Feb 09, 2024

On Tuesday, February 6, 2024, the House Committee on Homeland Security’s Cybersecurity and Infrastructure Protection Subcommittee held a very interesting hearing entitled, “Securing Operational Technology: A Deep Dive into the Water Sector.”

There were more than half a dozen hearings across the House committees on Tuesday, so deciding which to prioritize was tough.

I know these are hard to read but just know that most of them were happening at the same time. The full list can be viewed here.

I ultimately decided on this hearing, because it’s about our water and the technology and cyber security infrastructure that comprise the water supply. As a former management consultant that specializes in large scale technology transformations, I speak the language and found the witness bios were intriguing.

I wasn’t disappointed and watched the 90-minute hearing a few times.

The Anatomy of a “Public Private Partnerships”

First off, we need to outline the players in this hearing. This might seem superfluous, but understanding who these guys are, their motivations and incentives helps us contextualize and better understand their testimony.

Robert M. Lee is the CEO and Co-Founder of Dragos, Inc., an “industrial cybersecurity technology and services provider.”

Robert M. Lee, CEO and Co-Founder, Dragos Inc.

Lee serves in “advisory roles to numerous governments and international organizations across the world, including the United States Department of Energy (DOE), Singapore’s Cyber Security Agency, and the World Economic Forum’s cybersecurity committees on oil and gas and electricity.” He is a “veteran of the United States Air Force and National Security Agency.”

Charles Clancy is a Senior Vice President and Chief Technology Officer at MITRE, “a non-profit, non-partisan research institution that operates Federally Funded Research and Development Centers (FFRDCs) on behalf of the U.S. Government.”

MITRE professionals “provide deep expertise across the executive branch, including in support of organizations like the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and U.S. Cyber Command.”

In other words, the MITRE provides the nonprofit glue that holds the public private partnerships together.

Prior to joining MITRE, Clancy spent nine years as faculty at Virginia Tech and “served as executive director of what is now the Virginia Tech National Security Institute.” Clancy began his career at the National Security Agency “leading advanced research and development programs.”

Kevin Morley is the Federal Relations Manager for the American Water Works Association (AWWA), the “largest nonprofit, scientific and educational association dedicated to managing and treating water, the world’s most vital resource.” The AWWA represents “water systems large and small, municipal and investor-owned, urban and rural” and their mission includes “managing cybersecurity risks that could threaten the essential lifeline function water professionals provide 24/7/365.”

Kevin Morley, Federal Relations Manager, AWWA

Morley has 20 years experience working across the water sector to advance security and preparedness. He “has supported the national discourse on risk and resilience as a Disaster Resilience Fellow for the National Institute of Standards and Technology, a member of the President’s National Infrastructure Advisory Council and the Water Sector Coordinating Council.” Morley received a PhD from George Mason University.

Marty Edwards is the Deputy Chief Technology Officer for Operational Technology (OT) and Internet of Things (IoT) at Tenable, a cybersecurity exposure management company focused on modern analytics to measure and communicate cybersecurity risk.

Marty Edwards, Deputy CTO for OT and IoT, Tenable

At Tenable, Edwards focuses on “furthering government and industry initiatives to improve critical infrastructure security.”

In 2022, Edwards served as a working group lead in Joe Biden’s National Security Telecommunications Advisory Committee (NSTAC). Prior to joining Tenable, Edwards worked in the industry, and served as a Program Manager at the U.S. Department of Energy’s Idaho National Laboratory focused on cybersecurity. He was “the last and the longest-serving Director of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is now part of the Cybersecurity and Infrastructure Security Agency (CISA).”

These four experts were testifying before the subcommittee chaired by Representative Andrew Garbarino (R-NY,) with ranking member Representative Eric Swalwell (D-CA). The subcommittee has four additional Republicans and three additional Democrats, as shown in the image below.

CISA is Still in Charge of US Critical Infrastructure

Throughout the hearing, the experts drew parallels to the energy sector and talked about the sector interdependencies when it came to critical infrastructure. For example, targeting the energy infrastructure would result in cascading impacts to water, natural gas, and more.

But the macro concepts are even more broadly applicable.

Centralized technical control of critical infrastructure has created new complexities, and complexity breeds and hides corruption. Corruption could mean that security protocols are corrupted and the infrastructure is made vulnerable, or it could mean corruption in a more traditional sense, like crony capitalism, sweetheart deals, and non-competitive contracts.

When it comes to water, there was a moment in this hearing that indicated it might be both.

Late in the hearing, Representative Rob. Menendez (D-NJ) tried to get some good sound bites for the Biden Administration, and it did not go well.

Rep. Menendez: “As part of the Biden administration's efforts to strengthen… cybersecurity, they launched a series of sector-specific sprints, including for the water sector, reflecting the administration's desire to make OTSC cybersecurity a priority, and better defend critical infrastructure from our adversaries to any of the witnesses. What results did you see from these efforts?”

At this point, the experts exchanged glances and giggled. Dr. Morley spoke first:

Dr. Morley: “So, I think in terms of the water sector and that sprint, I think some of the resources and focus was on some very specific technology solutions that, honestly, were a bit beyond the reach of many utilities in terms of maturity…”

Mr. Lee was more direct:

Mr. Lee: “They were pushed very strongly to a government specific answer that didn't actually meet a lot of what they're trying to accomplish, with no resourcing behind it.”

Essentially, the Biden Administration was pushing specific government solutions — ostensibly technologies and their vendors — on water providers. From the responses of the experts, these solutions were not in response to the needs of the sector, but driven by some central agenda.

I wonder if that government-specific solution came with a non-competitive contract.

That Time Iran Attacked Pennsylvania’s Water Supply

“During my tenure in this committee, we have made great strides of OGS on CISS efforts on securing OT, but given recent incidents, we must revisit this topic to consider how Congress may further refine and strike the support to critical infrastructure owners and operators. In late 2023, we saw the latest, the various cyber activity against OT, devices and multiple sectors, including water and wastewater systems, by Iranian affiliated cyber actors,” Subcommittee Chairman Garbarino stated in his opening remarks.

He is referring to the November 2023 cyber attack on a Aliquippa Municipal Authority’s water infrastructure in Pennsylvania.

Image provided by Aliquippa authority of device compromised by Iranian hackers. (AP News)

From AP News:

“At the Aliquippa authority, Iranian hackers shut down a remotely controlled device that monitors and regulates water pressure at a pumping station. Customers weren’t affected because crews alerted by an alarm quickly switched to manual operation — but not every water authority has a built-in manual backup system.”

The government’s response has been to sanction Iran, and the cyber experts are critical of the response. Mr. Clancy stated that the sanction-focused response, “does not scale to the strategic threat that we face” and that “we must think of these attacks in the same vein as a major natural disaster where the solution is not technology band aids but it's more about procedures and people.”

Knowing that most people’s eyes glaze over at technical jargon, let’s simplify the topic:

“OT” means “Operational Technology,” and it’s a hot topic because the “Internet of Things,” or IoT, has created entirely new categories of cyber vulnerabilities. IoT is the foundation of things like smart cities and highways, and refers broadly to sensors and other technologies that digitize the physical world. The PA “hack” occurred because of a compromised device in the field, as shown in the AP reporting above.

The substance of the hearing was this OT threat category and the vulnerabilities of the IoT infrastructure that governs modern life. As Mr. Lee said during his testimony, “If you steal from IT, you steal somebody's data. You target OT, you kill people. You need to treat that differently.”

The Stuff of Nightmares

The experts were asked repeatedly about the biggest vulnerabilities for the US water supply, and their answers are, indeed, concerning. When asked about their greatest nightmare scenario, what keeps them up at night, here are their answers:

Mr. Lee: “Yeah, I would say generally speaking, I care about things at scale…You can very quickly deny drinking water. I mean, I can't sit through this hearing without going through this water for 30 seconds, let alone two weeks. So denying access to our communities or even manipulating chemical levels in that, at scale, is a scary scenario that we have to prepare for.”
Dr. Clancy: “I'm particularly concerned about the interdependencies between several of the different critical infrastructure sectors. You hit energy, water goes down shortly thereafter. Same thing with natural gas, right? So they're all interlinked. And if you have a significant attack on one, you can cause cascading of failures and others.”
Dr. Morley. “I would signal the similar concern with cascading implications for degradation of drinking water or wastewater services and the consequences within the community for that service being unavailable.”
Mr. Edwards: “Yeah, I think echoing the previous witnesses, the reused or the common use of some of these OT devices, the program of logic controllers, is across many, many sectors, right? So you have the same box in a water treatment plant that you do in an electrical substation that you do in a manufacturing plant. So kind of my nightmare scenario is some type of malware or ransomware that holds all of those devices hostage or makes them inoperable. And we just simply do not have the supply chain capacity to replace all of them in any reasonable amount of time.”

Several years ago, I chaperoned my oldest son’s field trip to our local water treatment plant. It was fascinating, and also gross, but what I recall most after this hearing was how digitized everything was. They weren’t testing water with strips and chemicals, they were running tests and analyzing results on the screens. Chemical levels were adjusted digitally. Alarm systems were tied to digital readings, sounding only when the computers indicated they should.

The central control room at the La Atarjea water treatment plant. Source: (IDOM, 2015)

That is operational technology from a water infrastructure standpoint, and Mr. Lee is right: If you successfully breach the infrastructure and, say, adjust the chemical levels in the water supply, the “hack” can kill people. Not steal their identities, but poison them to death. This kind of compromise can potentially occur without detection – meaning, you wouldn’t know until people started dying.

You do, indeed, have to treat that differently.

“Somebody Must Do Something!”

“So you have the same box in a water treatment plant that you do in an electrical substation that you do in a manufacturing plant. So kind of my nightmare scenario is some type of malware or ransomware that holds all of those devices hostage or makes them inoperable.”

In the experts’ own words, the vulnerabilities addressed in this water deep dive are paralleled in other sectors. Interestingly, the solutions proposed by the experts are similar to those posed by activists in other sectors – where those solutions have been dismissed, and in many cases, demonized. Let’s see if you can guess where I’m going with this.

When asked about solutions, Dr. Morley stated:

“And if there was more direct resourcing to the local communities and the water companies that actually deal with their local integrators, the local contractors, etc., you would not only achieve more efficiency, but then you wouldn't have to worry about trying to make awareness available to 50,000 people or 50,000 entities, but know who to reach out to. And you would create jobs and resources in the local communities as a result.”

Representative August Pfluger (R-TX), who jumped in on the hearing, summarized this as, “It sounds like taking some of that national and making it more local based and regional based would be effective.”

Local control and community-based solutions. What a concept for our critical infrastructure!

Representative Carlos Gimenez (R-FL) was representing all us proud luddites, and he used his time to talk about the impacts of quantum computing and artificial intelligence on the water supply, and critical infrastructure more broadly.

The exchange below is edited for length, but it was a fascinating exchange between Gimenez and Mr. Lee about the level of digitization and centralization in US critical infrastructure:

Rep. Gimenez: “Hey, you've got this threat coming. It's called quantum computing attached to AI. It's going to make all your efforts – it could make all your efforts – fruitless. And so, you know, it's thinking about, okay, you know, do we go back to manual … instead of relying on the internet, wouldn't it be smarter for us to rely more on intranet?”
Mr. Lee: “So, I would generally say that I very much prefer the American infrastructure services provided than the ones the Chinese provide to their citizens. And it's because of that that we have digitization and connectivity. You can't go back, but to your point. I think it's spot on for what are our strategic sites. What are the ones that we want to be able to have that capability? Because to do it at scale across the 50,000 plus water companies cannot be resourced, especially when we're still dealing with the trillion dollars worth of infrastructure upgrades. We just need for clean water.”
Rep. Gimenez: “Sorry, I'm giving you Murphy's law. And you're denying it. You're saying, it's okay. Well, you know, I mean, resource it, which means to make you need more people, and more money. What about to tell you that for every one person that we have working on the Chinese issue or the CCP, they have 50. You'll never be able to out-resource them.”
Mr. Lee: “I'm an Air Force and NSA alum. Sir, I would take one of ours for 50 others any day. But to your point, when you look at the systems, if we pick out the strategic sites and do a lot of what you're talking about, I think it's a great idea. We just cannot scale it across the entirety of the country, especially when a lot of water infrastructure companies share one IT contractor amongst six companies. You're talking about 20 more engineers per company. It's not in the resources and capabilities of our country …”
Rep. Gimenez: “I'm saying look, the vulnerability comes in the fact that you're tied to the internet. Anybody can attack you from anywhere in the world. If you have a closed system … they can't attack you from anywhere in the world because you're a closed system.”
Mr. Lee: “And we could not operate it. And you what? And we could not operate it. When you look at the operation portfolio, when you look at the OEMs, the original equipment manufacturers and how they build these systems, and how we work with them, you can no longer operate manually disconnected or in an intranet. And unfortunately, that's just reality. We have to set it at a technical level. So then it's risk management beyond that about what do we do about it? Should we develop that capability? I think there are more efficient ways to get to a more resilient system than trying to do that.”
Rep. Gimenez: “Again, I guess I’m a little bit more pessimistic knowing what's coming.”

We’re digital now, and we’re gonna stay that way.

That is the leading position of the sector coordinating council over the water supply.

At another point in the discussion, Subcommittee Member Carter (D-LA) was asking about issues with saltwater intrusion and the need for alternative water supplies, and Dr. Morley replied:

“Planning for alternative water supply is certainly a critical need, and the challenges that we're faced in that portion of Louisiana were certainly … challenging. I think it requires a collaborative approach between EPA, the core of engineers to some extent, CISA to evaluate some of those opportunities. The Water Sector Coordinating Council, for example, has made … a mercy water supply, a critical priority.”

To me, these two answers from the two different experts are at odds. That is, the idea that we need an alternative water supply for the impacts of climate (such as saltwater intrusion), but developing an alternative water supply in the event of cyber attacks is inefficient and unnecessary.

And while Mr. Lee stated that there are “more efficient ways to get to a more resilient system” than developing non-digital redundancies, he didn’t elaborate.

The Water Signals a Brewing Storm

The vulnerability of our water supply is terrifying. The experts in this hearing did a good job of making sure everyone knows that it’s terrifying.

And it’s not just water.

The issues raised with regards to the water supply are the same issues with the energy, banking, and communications systems of our country.

One of the reasons for this is that the hardware – the computers, networking, IoT sensors and other component parts within the infrastructure – have similar supply chains. That is, they’re foreign made, often by US adversaries like the Chinese.

Another reason is the authoritarian push over the past two decades to centralize the infrastructure. Centralization creates complexity, and complexity breeds and hides corruption.

Thus, these ecosystem challenges laid out for the water sector, by recognized experts, also apply to energy, banking, communications … elections.

The fact that CISA is in charge of all of it—you have to wonder if these challenges are an unintentional byproduct of well-intentioned innovation, or part of a more sinister design.

That is, are the vulnerabilities in US critical infrastructure a bug … or a feature?

Either way, according to the experts, this is the calm before the storm.

Speaking of, local water authorities in Colorado are now sending their customers FEMA notices on water-related disaster preparedness.

I’m sure it’s just a coincidence.

Badlands Media articles and features represent the opinions of the contributing authors and do not necessarily represent the views of Badlands Media itself.

Ashe in America hosts Culture of Change on Badlands Media, Sundays at 6PM ET. If you enjoyed this contribution to Badlands Media, please consider checking out more of her work for free at Ashe in America.

Badlands Media