US critical infrastructure, most recently defined in President Obama’s 2013 Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience, is presently comprised of sixteen sectors. Among these are several “critical lifeline” sectors, upon which all other infrastructure (and our homes and schools…) rely. One of those critical lifelines is the Water and Wastewater Systems Sector, which is operationally supported by the Water Information Sharing and Analysis Center (WaterISAC) – authorized by Congress in 2002. WaterISAC members mainly include drinking water and wastewater utilities. Michael Arceneaux is the Managing Director of WaterISAC.
“Without water not only can you not prepare food and bathe, but you can’t flush toilets, and large buildings and data centers can’t be cooled… Energy production would be curtailed… Patients in hospitals and health care centers would need to be evacuated. Manufacturing and production that relies on treated water would cease.”
Q: Water is not only a critical infrastructure sector, but it’s a lifeline sector, too, along with energy, transportation, communications/IT and emergency services. Would you talk about that?
A: A lifeline sector is one that provides a service that, if compromised or not quickly restored, risks human health and economic security. That certainly applies to the Water Sector. Still, a lot of people don’t think about water or wastewater service until the service is missing. The Water Sector needs to be a top priority for restoration by the emergency management agencies and the power sector. One of the strategic goals of the Water Sector Coordinating Council (WSCC) and our Sector’s Government Coordinating Council (GCC), chaired by US EPA, is to improve the awareness of water’s criticality.
It’s not uncommon that we have to remind well-meaning government agencies and other sectors that without water not only can you not prepare food and bathe, but you can’t flush toilets, and large buildings and data centers can’t be cooled. Energy production would be curtailed. Most businesses and government agencies would shut down and local populations would begin migrating out of the area. Patients in hospitals and health care centers would need to be evacuated. Manufacturing and production that relies on treated water would cease. The public health and economic impacts would be enormous if water and wastewater service were to be interrupted for a substantial period of time. Think of the months-long suffering that parts of Puerto Rico endured without water after its electric power systems were destroyed by Hurricane Maria.
Q: Have you seen positive change since the WSCC and GCC made greater awareness a priority?
A: Certainly. But it demands constant effort. For example, at one hurricane response meeting last year here in Washington among government and critical infrastructure representatives, water wasn’t even on the agenda until a colleague made an issue of it. Still, it is getting better.
I think people fail to recognize that water and wastewater systems are complex enterprises. A lot is going on behind the scenes, before you can turn on your tap or flush.
Q: Speaking of cross-sector issues, you and I have been involved in efforts of the National Council of ISACs (NCI) to reinforce the lines of communication and coordination across sectors and with government during incident response. Discuss your Sector’s interdependencies with other sectors and the importance of cross-sector planning and collaboration.
A: Daily life and our economy can’t operate without water. At the same time, water service relies on other sectors. Electricity is the big one. In a disaster that interrupts the power grid, generators and diesel only go so far. Other interdependencies are the Chemical Sector, because we need chlorine and other treatment chemicals; transportation, because chemicals, fuel, and people need to get to our facilities; and communications and IT, not only for personnel to communicate but also because managing our treatment systems, pumps, and lift-stations relies heavily on industrial control systems (ICS). Our 2015 Water and Wastewater Sector-Specific Plan touches on these interdependencies.
“Water service relies on other sectors. Electricity is the big one… Other interdependencies are the Chemical Sector… transportation… communications and IT, not only for personnel to communicate but also because managing our treatment systems, pumps, and lift-stations relies heavily on industrial control systems (ICS)… Cross-sector coordination is key, and the NCI is the main game in town for cross-sector communications.”
Cross-sector coordination is key, and the NCI is the main game in town for cross-sector communications. Through our NCI linkages we communicate daily, weekly, monthly and quarterly with our counterparts. More importantly, we know who to call when something bad happens. We also know what to expect from each other thanks to the Operational Coordination Forums that you organize for the NCI. Through the forums we have the opportunity to step through scenarios with our counterparts and government partners and explore the information sharing process.
Q: Michael, you’ve been involved in the Water Sector for over twenty years and have seen a lot of changes in the threats and risks critical infrastructure is facing and in the community focused on protecting against those threats. Are there any threats or concerns that particularly jump out at you today?
A: One threat that is ever present in our minds is water contamination, whether intentional or accidental. There are many measures in place to prevent this and to respond if there were an actual event or a claim of contamination, but it’s a top-most concern we have. That’s one reason why WaterISAC provides members with single sign-on access to three contaminant databases, which contain information about chemical and biological agents. Also we have a cooperative agreement with the DHS Chemical Security Analysis Center, which identifies and assesses chemical threats and vulnerabilities, and we support US EPA’s Water Laboratory Alliance and contaminant monitoring research efforts.
“Cyber threats and risks, it appears, will always be with us. It is critical that utilities continue to put resources toward enterprise IT security and industrial control system security.”
Cyber threats and risks, it appears, will always be with us. It is critical that utilities continue to put resources toward enterprise IT security and industrial control system security. WaterISAC’s 10 Essential Security Measures for Water and Wastewater Utilities (the latest edition will be released in early September) addresses the best practices that Water Sector systems should be implementing. However, there are thousands of utilities that don’t necessarily have the capacity to digest sophisticated IT recommendations. Congress just enacted the NIST Small Business Cybersecurity Act, which is intended to help small organizations implement the National Institute of Standards and Technology Cybersecurity Framework. I have faith that NIST will produce some good resources, and when it does WaterISAC will alert the Sector to its value.
Q: Events such as the 2017 WannaCry ransomware attacks, the 2016 DHS report of a cyber attack on a US water utility, and the 2015 attack on Ukraine’s electricity network clearly highlight the impact that incidents can have. And in recent weeks, DHS and the FBI have asserted that Russians have targeted water and wastewater systems. Is there anything you can share about these and other cybersecurity threats?
“It shouldn’t surprise anyone to learn that Russia, other nation-states, or criminal organizations are nosing around water utilities’ IT and ICS networks.”
A: Ransomware attacks and business email compromise scams are probably as common in the Water Sector as they are in other business sectors. As far as what DHS and FBI have published publicly about Russian activity, it shouldn’t surprise anyone to learn that Russia, other nation-states, or criminal organizations are nosing around water utilities’ IT and ICS networks. It has been said by US government cybersecurity leaders and subject matter experts that organizations should assume they have been compromised. That’s something we should all keep in mind. And I think it makes the case for monitoring network traffic for threat indicators. WaterISAC is one of a relative handful of organizations across the country using automated threat intelligence from the DHS’s Automated Indicator Sharing program. WaterISAC also subscribes to a feed from the department’s Cyber Information Sharing and Collaboration Program. Our members can leverage these intelligence feeds, as well as those from private sector sources, through our partner Perch Security. This is a pretty unique service that a growing number of our members use because it detects and confirms compromises, and it notifies them to take action.
Q: What is WaterISAC’s origin story and mission?
A: Following the publication of the 1997 Report of the President’s Commission on Critical Infrastructure Protection and President Clinton’s 1998 Decision Directive 63, the US EPA and the FBI approached Water Sector leaders about setting up something called an information sharing and analysis center. Recognizing the need to protect water facilities from both cyber and physical threats, the leaders of the Sector agreed and began development of WaterISAC in March of 2001. The 9/11 attack on the World Trade Center was a horrible reminder of our nation’s infrastructure vulnerabilities, and it accelerated development of the ISAC, which opened its doors in early 2002.
Our mission is to help our members – and our Sector at large – protect against physical and cyber hazards and to help them recover from incidents and disasters. We do this through our twice-weekly updates, our online library containing literally thousands of resources, our products, and our webinars, advisories, and briefings.
“Our members are in the US, Canada, Australia, and New Zealand. The membership includes not only drinking water and wastewater systems, but also state and federal government agencies with a role in Water Sector security and resilience, Water Sector consulting firms, and Sector associations.”
Q: Tell us a little about your Sector, your membership and how WaterISAC is organized.
A: In the US, our Sector comprises about 52,000 community drinking water systems and around 16,000 wastewater systems. Approximately 85% are part of local government, and the remainder are privately owned, investor-owned or non-profits. Most serve small and rural communities, while the largest utilities serve the majority of the US population.
Our members are in the US, Canada, Australia, and New Zealand. The membership includes not only drinking water and wastewater systems, but also state and federal government agencies with a role in Water Sector security and resilience, Water Sector consulting firms, and Sector associations.
In terms of how we’re organized, we’re a nonprofit. And we’re a partnership of the Water Sector. Eight principal US national water and wastewater associations appoint the utility managers and the state water administrator who comprise our board of managers.
Q: Occasionally, I’ve heard murmurings that ISACs are “pay-to-play” because there are membership costs. Is that the case for WaterISAC?
A: ISACs cost money to operate, and we rely on dues to support our member services. Nevertheless, we want to be of value to our entire Sector, not just those who pay dues. We just launched our new website in mid-August, and we designed it to provide any visitor – member or not – with any federal agencyadvisory or other resources that are available for general public consumption, as long as it pertains to the Water Sector. And any Sector utility that calls us for support will be helped. Otherwise, you have to be a vetted member to access anything containing potentially sensitive information and to download certain value-added resources.
Our dues are very reasonable. Other ISACs are fortunate enough to be extensions of federal agencies, or their member companies are well-heeled. But our members are mainly public agencies, so our dues structure reflects that.
Q: Any parting thoughts you’d like to share?
A: A big issue that the Water Sector needs to resolve – and I suspect it’s true for other sectors – is convincing critical infrastructure owners and operators to report incidents and cyber threat indicators to their ISACs and be willing to share them with each other in a confidential way. Maybe two or three ISACs have seen some success in this area, but for the most part, there is a reticence to share. I see at least four reasons for this. First, there is a lack of confidence in data sharing and storage mechanisms – such as email and third-party cloud-based platforms. WaterISAC is exploring affordable solutions to that problem. Second, sharing incident details can seem time-consuming, and it’s not part of anyone’s job. To address that, WaterISAC plans to invest in developing a positive culture around incident sharing. Third, owners and operators may not understand the value of sharing incident information. So another WaterISAC goal is to do a better job of explaining that sharing incident information can make everyone safer. The concept of “You don’t have to run faster than the bear to get away. You just have to run faster than the guy next to you” is not very helpful to collective security.
Thank you, Michael. All critical infrastructure is obviously important for many reasons, but water and the critical lifelines are the communities we rely on at a must basic level. Thanks for what you’re doing everyday to protect one of our most vital resources and for working so hard to enhance the security and resilience of the water community!
About Michael Arceneaux: Michael is the Managing Director of WaterISAC and Chief Operating Officer of the Association of Metropolitan Water Agencies (AMWA). Prior to joining AMWA in 1995, Michael worked for US Sen. John Breaux on environmental policy and served as an intelligence specialist in the US Navy.
About WaterISAC: The Water Information Sharing and Analysis Center (WaterISAC) was authorized by Congress in 2002 and created and managed by the water sector. Its mission is to keep drinking water and wastewater utility managers informed about potential threats and risks to the nation’s water infrastructure from all hazards, such as intentional contamination, terrorism and cyber-attacks, and to provide knowledge about response, mitigation and resilience. Funded by annual membership dues, WaterISAC links members to critical resources through a secure online portal. Member organizations include water utilities; local, state and federal government; and consulting and engineering firms. Read more.