October is Cybersecurity Awareness Month, drawing attention to potential threats and the importance of having adequate safeguards in place to thwart hackers. Critical infrastructure components can be primary targets because any disruptions in their operation can have a widespread impact. Northern Michigan University assistant professor of political science Jongeun You recently wrote an article for the IBM Center for the Business of Government that contends the U.S. water sector is particularly vulnerable.
The article defines cyber threats as a “sword in a battle in cyberspace” and cybersecurity as the shield, referring to the way that public, private, and nonprofit actors take action to protect themselves from the damage of cyber threats. Cyberattacks and cyber intrusions on operational and information technology (OT/IT) systems can range from a data breach (theft/manipulation of information, personal, confidential, medical, etc.) to damage or disruption of infrastructure assets. These often come in the form of phishing, malware—such as ransomware—and Denial of Service attacks.
Dr. You said water and wastewater operators often rely on industrial control system devices developed decades ago, and that their OT/IT systems tend to be outdated. The U.S. also has more than 150,000 public water systems, leading to a fragmented structure that is difficult to protect. Small- and medium-sized municipal operators are also highly vulnerable to cyberattacks due to underfunding and a dependence on outside contractors.
“The cyber threat landscape is evolving, and cyber threat actors continue to update their tactics and find new ways to target victims,” Dr. You said. “At the same time, however, we must recognize our society's collective capacity to govern, identify, protect, detect and respond to cyber threats and recover from the damages. For example, the federal government is implementing strategies to safeguard critical infrastructure sectors from cyber threats. The strategies include timely incident response and effective coordination among various stakeholders. The industry is also actively enhancing the resilience of critical systems beyond meeting regulatory requirements.”
There have been cyber threats to the U.S. water sector in recent years. In 2021, two small wastewater plants in Maine were attacked by ransomware hackers. While there was no threat to the public since the plants operated without the assistance of computers, the office was still without computers for three days. This raised concerns, with the Maine director of the Bureau of Water Quality, Brian Kavanah, stating that a cyberattack could lead to an override of alarms, interference of pumps or stolen information.
“While many technical challenges remain to be solved, there is a great need for more expertise in policy and regulation to address cyber threats to the water sector,” Dr. You said. “The intersection of technology and political science is essential to water cybersecurity.”
Dr. You was also invited to deliver a talk, “Cybersecurity and U.S. Water Infrastructure,” at the 2023 second annual Upper Peninsula Cybersecurity Symposium. Michael Sauer, director of the Upper Peninsula Cybersecurity Institute at NMU, hosted the symposium and attended the session on critical infrastructure.
“The symposium was a big success, attracting federal, state and local cybersecurity agencies, as well as industry and non-profit stakeholders,” said Sauer. “Dr. You's talk contributed to our collective success by bringing expertise on political science and public administration to improving critical infrastructure cybersecurity.”
Dr. You was selected as a 2022 U.S. Defense Advanced Research Projects Agency Riser for his cybersecurity research in the water sector. Read his related article for the IBM Center for the Business of Government here.