Critical Infrastructure Security

Small Utilities, Hospitals Struggle With Newer Cyberthreats

Lack of Money, Expertise Creates Big Challenges for Small Infrastructure Providers
Small Utilities, Hospitals Struggle With Newer Cyberthreats
From left, Puesh Kumar, director, Department of Energy; Brian Mazanec, deputy director, Department of Health and Human Services; and David Travers, director, Environmental Protection Agency

Small electric utilities, wastewater facilities and hospitals struggle with defending their organizations against emerging cyberthreats given their meager resources, U.S. government officials told a congressional oversight panel Tuesday.

See Also: 5 Requirements for Modern DLP

Slightly fewer than 100,000 drinking water systems and 16,000 wastewater systems serve the United States and its territories,and their customer bases range in size from more than 8 million to just 500 people, said David Travers, head of the Environmental Protection Agency's Water Infrastructure and Cyber Resilience Division.

"The most significant cyber risk in the water sector remains the failure of many utilities to adopt best practices," Travers said. "This critical vulnerability is apparent both from a recent industry survey - which showed that most utilities had not taken key steps to protect their operation - and from cyber incidents at water systems, which have exploited the failure to implement cybersecurity best practices."

The EPA has provided one-on-one technical assistance to hundreds of smaller water and wastewater systems, and subject matter experts have identified gaps in cybersecurity best practices and implemented remediation actions tailored to the resources and goals of the utility entities. The agency last March said it will start assessing cybersecurity as a factor in periodic safety assessments (see: US EPA Regulates Public Drinking Water for Cybersecurity).

"These systems, though small, are critical to the viability of the communities they serve," Travers said. Their smallness often puts them at greater risk since they lack the dedicated cybersecurity personnel of larger systems, he told lawmakers.

The EPA focuses on best practices such as strong and unique passwords rather than recommending resource-intensive interventions. Travers said the EPA also offers 'train the trainer' programs to third parties such as the National Rural Water Association and the Department of Agriculture's Rural Community Assistance Program, which often serve as a source of technical expertise.

The Energy Department provides tools to smaller utilities that help them both gauge their existing cyber posture and make investment decisions, said Kumar, director of the Office of Cybersecurity, Energy Security, and Emergency Response. The department's rural and municipal utility grant program delivers cybersecurity technical assistance and funding directly to rural cooperatives and waste utilities nationwide.

Why Incidents at Small Hospitals Are More Severe

The Health and Human Services Department has developed separate sets of industry best practices for small, medium and large hospital systems with off-the-shelf resources that small hospitals can use as is, said Mazanec, deputy director for the Office of Preparedness.

"Our focus is on safety and health impacts for smaller, rural hospitals located in an area where there aren't multiple hospitals and less ability to divert when there is a need," said Brian Mazanec of the Health and Human Services Department. "In some respects, that can make the incidents even more severe when they do occur, in addition to the fact that they may have less resources to harden their target."

In response to this bifurcation, Mazanec said HHS has developed tailored resources that will make it easier and more efficient for smaller hospitals with fewer resources to harden their infrastructure. In addition to off-the-shelf tools, the agency offers an on-demand series of courses to help small institutions that lack resident cyber experts and will collect data on how existing tools are used to drive future revisions.

"We engage closely with the sector, we coordinate with them, and we're developing tailored tools," Mazanec said. "This is also why we think we need to elevate our activity. The threat is growing."

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.