What resources do small utilities need to defend against cyberattacks?
Today, small utilities are on the front lines of cyberattacks, yet they often fall through the cracks of well-intentioned programs and public-private partnerships that aim to secure the nation’s critical infrastructure. Community utilities that ensure we have power, clean water and fuel to heat homes now find themselves defending against highly motivated adversaries with financial and political agendas.
In January, FBI Director Christopher Wray confirmed that Chinese government-backed hackers are already positioned in that very infrastructure, preparing to cause real-world harm. And attacks against critical infrastructure are no longer a theoretical possibility. At the end of last year, the hacktivist group CyberAv3ngers targeted Israeli-made programmable logic controllers (PLCs), resulting in a compromise at a Pennsylvania water utility, as well as other entities in the United States and globally.
Water utilities such as the one targeted in Pennsylvania protect our community’s vital resources but lack the proper resources to do so. Now more than ever, these organizations need both funding and expertise to buy and deploy updated equipment and hardware, as well as critical tools for cyber protections. However, securing these systems is not as simple as a funding issue. Not only are they operating within extremely limited budgets, but their purchases and investments approvals are screened through a vetting process that wasn’t built to take into account cybersecurity needs.
Understanding the need
Small utilities have limited resources for cybersecurity yet are crucial to the communities they serve, as well as to national security. According to the Environmental Protection Agency, small public water systems represent more than 90% of the nation’s community water systems. Many of the nation’s almost 3,000 public power companies and electric cooperatives are small or rural as well. Adversaries are targeting organizations of all sizes in order to cause disruption of essential services or create fear among the public.
Smaller organizations make easy targets because they often do not have the same level of resourcing to protect their systems. For some small utilities, the limitations are simply financial. They don’t have the budget for new equipment and technology or to recruit cybersecurity personnel. For others, the challenges are even more foundational. They may not have even a single dedicated staff member focused on cybersecurity and are subject to complicated spending approval processes and oversight programs that are not designed to prioritize or even allow cybersecurity investment. And so they face the growing threat environment without the expertise to fully address cybersecurity risk, especially when it comes to threats against the operational technology that run the physical environments within critical infrastructure, such as industrial control systems that open circuit breakers at an electricity distribution station or operate water pumping stations.
Partners across government and industry are coordinating more closely than ever to protect critical assets, functions and services across sectors. CISA, the FBI and other agencies routinely share advisories on vulnerabilities with industry. The North American Electric Reliability Corporation brings government and industry leaders together in GridEx, a large-scale exercise, to practice what response and recovery would look like during a coordinated attack on the grid. But not all critical infrastructure is starting from the same place when it comes to defending against cyber threats, and, for many, just prioritizing and acting on information is a challenge. Better coordination with the federal government will remain insufficient if utilities lack the capacity to build defensible systems.
Closing the resource gap for collective defense
When it comes to supporting utilities in their mission to defend their community infrastructure against cyber threats, we need to offer resources they need now. For some, this will be tools to start building a basic cybersecurity program. In addition to technology solutions, this includes support with things like tabletop exercises and fully implementing best practices or critical controls, such as the 5 ICS Cybersecurity Critical Controls.
But if we really want to help small utilities defend against cyber threats, we have to close the resource gap. Cybersecurity and operational reliability go hand in hand, and budgets need to reflect this. Budgeting processes need to include cybersecurity needs as baseline requirements and they need to be informed by cyber expertise. And costs for cybersecurity investment need to be recoverable. We can’t make utilities choose between reliability and security. Our communities need both.
Greater funding will be insufficient without faster and more straightforward access to the fundamental cybersecurity tools and technology that operators need now. Recent grant programs to assist states and communities in closing the cybersecurity resource gap, such as the Department of Homeland Security’s State and Local Cybersecurity Grant Program, are a start, but there are still process hurdles that slow resources from reaching the operators who need them, as well as oversight challenges locally that delay and prevent essential cybersecurity investments. Grant money movement is slow and has to flow through many checks and balances, for good reason. And most small utilities don’t have grant writers, or staff with roles intended to find, apply for and track all the requirements that come with grants.
At Dragos, we understand the challenges that small electricity, water and gas utilities face in accessing these tools, so we recently launched our Community Defense Program to help them build critical cyber protections faster through no-cost access to our platform software and other resources. We share in our collective mission to protect the nation’s critical infrastructure and this program is us putting action behind our words.
Individual companies and government agencies can’t solve the problem alone, but we can each consider where we can best contribute, so we are working together to get resources in the hands of operators faster and protect our communities better. Let’s close the resource gap by making it easier for small utilities to access the tools and information they need when they need it most.
Robert M. Lee is the CEO and co-founder of Dragos, a company that focuses on cybersecurity for industrial controls systems and operational technology environments.