AWWA and partners host Capitol Hill cybersecurity briefing
August 20, 2024
AWWA Articles
AWWA and partners host Capitol Hill cybersecurity briefing
To educate U.S. congressional staff and stakeholders about water sector cybersecurity challenges and opportunities to build resilience, the American Water Works Association (AWWA) co-hosted an Aug. 14 briefing on Capitol Hill with three partner organizations.
During the briefing, AWWA, the Association of Metropolitan Water Agencies (AMWA), the National Association of Water Companies (NAWC) and the National Rural Water Association (NRWA) highlighted legislation introduced in the U.S. House of Representatives by Reps. Rick Crawford (R-AR) and John Duarte (R-CA) in April to support their recommendation for a collaborative approach to cybersecurity in the water sector.
This method of oversight would create a Water Risk and Resilience Organization to leverage the technical knowledge of utilities, cybersecurity experts and regulators to implement a comprehensive cybersecurity risk management strategy for the sector.
The briefing was facilitated by Kevin Morley, Ph.D., AWWA’s federal relations manager, who testified before key subcommittees on the Hill earlier this year to advance this collaborative approach. Morley was joined by a panel of utility representatives from each association that shared their unique cybersecurity experiences with attendees. The panelists included (pictured above from left):
- Cynthia Lane, P.E., general manager, Platte Canyon Water and Sanitation District
- Don Schumacher, lead superintendent of operations, Connecticut Water/SJW Group
- Cord Ellison, chief information officer, Cape Fear Public Water Authority
- Jeff Ford, general manager, James Kimzey Regional Water District
In recognition that water systems, like all critical infrastructure entities, are not immune to cyber threats, AWWA has actively engaged its members and the sector at large in building cybersecurity awareness and providing resources to support the implementation of best practices.
“Within our organization, we have an enterprise risk management program,” Schumacher said during the briefing. “You would imagine in the risk assessment that we do continuously see that water quality is at the top because that’s our core business. But what’s number two or number three consistently is cybersecurity, so that really tells us how important that is. We fold cybersecurity into the business. It’s part of the process, it’s part of the business.”
Lane said that increased cyber threats have changed the way her utility approaches staff training and education.
“Even as a small utility with limited money available, we are still a target, and we still have to make cybersecurity a priority for us,” she said. “What’s also interesting as well is to watch the change in the type of training we’ve had to push out internally. Before, we might have been focused on outside threats. The other thing we’ve had to switch to more is internal training, making sure our people are aware of the threats that come in. It’s pushed us to have a more comprehensive program and talk about this on a weekly, daily basis with staff.”
The cybersecurity legislation that AWWA, NAWC, and AMWA are recommending also takes into consideration the diverse nature of water utilities. This requires a tiered framework that recognizes the technical challenges facing the sector and sets reasonable cybersecurity requirements that focus on practical, protective and implementable solutions.
“Everyone needs to understand that utilities range from very small and simple to very large and complex,” Ford said. “We need an approach that will fit the needs of everyone, not just the largest of systems. A one-size-fits-all approach would not be feasible or reasonable for our small systems.”
Furthermore, Ellison agreed with the need for a tiered approach that leverages the knowledge of utility owner/operators responsible for managing systems.
The briefing concluded with an interactive question-and-answer session with participants. More information about the legislation and additional resources are available on AWWA’s Cybersecurity & Guidance page.