Utility firms in small towns and rural communities across the country lack critical funding and staffing resources necessary to counter an escalation in nationwide cyberattacks, state and local infrastructure experts warned on Wednesday.
Optional caption goes here. Optional caption goes here. Optional caption goes here. Optional caption goes here.
State and local infrastructure advocates are seeking increased investments in cybersecurity resources for rural and small communities, pointing to a severe lack in staffing and federal compliance training in some parts of the country.
Sophia Oberton, special projects coordinator for the Delmar Public Works Department in Maryland, urged lawmakers to provide additional funding towards technical training and assistance programs like the Rural Water Circuit Rider Program during a Senate Environment and Public Works Committee hearing on Wednesday.
"I think what happens is when we look at the larger positions, people don't see what's going on in our small towns," Oberton said. "In small areas, you don't have enough employees to cover some of the day-to-day things that need to get done … You need to come down off that chair and come see what's really going on in our areas, and sit down and have conversations and know what the specific needs are. Because each utility is different. Each utility is not the same."
The rider circuit initiative was launched in 1980 with the goal of providing hands-on federal training and technical assistance to water utility managers and other specialists on a range of issues, including compliance with federal regulations and all other aspects of water utility management. Oberton said the program, though currently underutilized among smaller communities and utilities susceptible to cyberattacks, can provide critical cybersecurity training and technical assistance for those areas and local specialists.
However, a majority of water utilities have not even fully assessed their own IT assets, according to a June survey from the Water Information Sharing and Analysis Center (Water-ISAC) that includes responses from more than 530 organizations. Dozens of firms responded that they were "not sure" if they had experienced a cyber incident.
Other witnesses also stressed further training and funding was required in order for the federal government to move forward with its cybersecurity goals featured in President Joe Biden's executive order released in May, which outlined aggressive deadlines for all agencies and stakeholders to begin improving their cyber posture.
Shailen Bhatt, president and CEO of the Intelligent Transportation Society of America, said some water utility firms, other private contractors and federal agencies have been successful in responding to cyberattacks after taking implementing measures featured in the National Institute of Standards and Technology's cybersecurity framework.
"The playbook that I would recommend is the NIST framework for all of the stakeholders," he said. "Their framework for cybersecurity talks about identifying the threats to your system, protecting against those vulnerabilities, detecting attacks on your system, responding to them and then recovering."