WASHINGTON, D.C. – Rep. Mike Gallagher (R-WI), co-chair of the Cyberspace Solarium Commission (CSC), today testified before the Senate Committee on Environment and Public Works to discuss ways we can address cyber vulnerabilities in our nation’s physical infrastructure. The hearing comes after water treatment facilities in Florida, California, and Kansas suffered from cyberattacks that threatened the safety of drinking water in these communities earlier this year.
In an opening statement before the committee, Gallagher said, “Municipalities have benefited greatly from the enhanced efficiency and quality brought by automated and remote systems for treating water supplies, but those same systems introduce new risks when not properly secured. As can often happen when budgets are tight and must be balanced, investments in security can fall by the wayside…Against these threats, the water sector faces challenges ranging from maintaining awareness of the threats to assessing risks to identifying and remediating vulnerabilities.”
In March of 2020, the CSC released a report
with more than 75 recommendations to better protect the United States in cyberspace, many of which touched on ways to protect our nation’s critical infrastructure from cyber threats. These include:
- Codifying sector specific agencies’ (SSAs) responsibilities in preventing and responding to cyber threats,
- Ensuring that SSAs such as the EPA conduct their risk management assignments effectively, and
- Better enabling state and local governments to improve the capacity of water utilities to prevent and mitigate the growing threats they face from cyberspace.
for a video of Rep. Gallagher’s opening statement available for broadcast and distribution.
Rep. Gallagher’s full remarks, as prepared for deliver, can be found below.
Thank you Chairman Carper, Ranking Member Capito, and distinguished members of the Committee for the opportunity to speak with you today. I appreciate the chance to appear along with my U.S. Cyberspace Solarium Commission co-Chair, Senator Angus King, to talk about the importance of securing our nation’s water supply from cyberattacks.
The U.S. Cyberspace Solarium Commission was authorized through the National Defense Authorization Act for Fiscal Year 2019 to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” In the course of this work, we paid special attention to our national critical infrastructure and the importance of securing that infrastructure from both criminal and nation-state cyber threats.
The sixteen critical infrastructure sectors are not equally equipped when it comes to cybersecurity: There are leaders—like the financial services sector—and there are laggers. Despite the importance of our water systems, the water and wastewater infrastructure sector lags behind many of its peers, posing a risk to our public health and safety. In the report we submitted to Congress in March of 2020, the Commission concluded that “water utilities remain largely ill-prepared to defend their networks from cyber-enabled disruption.” As we’ve continued our work on improving the nation’s cybersecurity, bolstering the ability of the water sector to detect, prevent, and withstand cyberattacks has emerged as a crucial priority.
Though 55 percent of utilities responding to a survey conducted by the Water Sector Coordinating Council rated cybersecurity as a high or top priority, the overall cybersecurity of our water sector remains immature. A 2016 National Infrastructure Advisory Council report highlighted the “wide disparity” in the technical capabilities and resources of water utilities across the country: Many of our nation’s nearly 70,000 community water and wastewater systems are small, publicly owned assets that are not equipped to deal with nation-state threats. And the National Infrastructure Advisory Council has described federal support for the resilience of the water sector as “fragmented and weak.”
Municipalities have benefited greatly from the enhanced efficiency and quality brought by automated and remote systems for treating water supplies, but those same systems introduce new risks when not properly secured. As can often happen when budgets are tight and must be balanced, investments in security can fall by the wayside. The Water Sector Coordinating Council reports that 38 percent of utilities dedicate less than 1 percent of their budget to the cybersecurity of information technology, and 44.8 percent allocate less than 1 percent of their budget to the cybersecurity of operational technology. Insufficient security investment leaves the water sector vulnerable to nation-state and criminal adversaries and insider threats—disgruntled employees or former employees with specific knowledge of how to disrupt a utility’s information technology or operational technology systems. Against these threats, the water sector faces challenges ranging from maintaining awareness of the threats to assessing risks to identifying and remediating vulnerabilities. A shortage of qualified cybersecurity professionals across the globe compounds the problem, making it difficult for resource-strapped organizations to attract and retain the talent necessary to protect our drinking water and public health systems.
Earlier this year, the city of Oldsmar, Florida, suffered a cyberattack in which malicious actors attempted to change the level of lye in the city’s drinking water. Though the attack was quickly detected and stopped, the situation could have been disastrous. In another incident, a malicious cyber actor compromised a California water treatment plant, deleting crucial programs meant to treat drinking water. And in April, federal prosecutors unsealed a grand jury indictment of a former employee of a Kansas water utility who remotely tampered with the utility’s cleaning and disinfecting procedures. It was through sheer luck that none of these incidents affected customers.
A more sophisticated adversary could impact the safety of thousands of Americans through a cyberattack on our water supply. Beyond the direct impact to drinking water, a cyberattack affecting the water supply could have cascading impacts for other critical infrastructure sectors that rely on clean and safe water to function properly: That’s why it’s considered a lifeline sector. These incidents underscore the importance of protecting our water systems and the need for more coordinated, consistent federal action to ensure that water utilities have the people, processes, and technology necessary to protect our public health and safety. Investment in the sector’s cybersecurity must match the importance of the sector to our national security, economy, public health, and safety.
Thank you again to Chairman Carper, Ranking Member Capito, and members of the committee, for the opportunity to discuss this pressing issue with you today. We appreciate your attention to the matter, and with that, I would like to turn it over to my Cyberspace Solarium Commission co-Chair, Senator King.