- by Jennifer Lyn Walker

To complement his testimony at the Subcommittee on Cybersecurity and Infrastructure Protection hearing entitled, “Securing Operational Technology: A Deep Dive into the Water Sector” in February, Dragos CEO and cofounder Robert M. Lee continues his impassioned plea for the need for cybersecurity resources for small utilities. In a recent post at CyberScoop, Rob uses his influence to persist in the fight for underserved critical infrastructure organizations, especially utilities providing our vital services.

Rob emphasizes several poignant points that are often repeated in ongoing discussions on closing the resources gap, including (but not limited to):

• While partners across government and industry are coordinating more closely than ever to protect critical assets, functions and services across sectors, the small entities often fall through the cracks of these well-intentioned programs and public-private partnerships.
• Now more than ever, these organizations need both funding and expertise to buy and deploy updated equipment and hardware, as well as critical tools for cyber protections.
• Greater funding will be insufficient without faster and more straightforward access to the fundamental cybersecurity tools and technology that operators need now.

So, what will it take to move this needle forward and provide the resources small utilities need to defend themselves from cyber threats now? Dragos itself has stepped up through its OT-CERT and Community Defense Program. The Cyber Readiness Institute has its free Cyber Readiness Program - Resiliency for Water Utilities Program. Additionally, there are the 5 ICS Cybersecurity Critical Controls (which have been heavily referenced in the soon-to-be released refresh of WaterISAC’s Cybersecurity Fundamentals for Water and Wastewater Utilities). Likewise, WaterISAC recently joined forces with NRWA in hopes to increase resilience efforts among some of the country’s smallest and often overlooked utilities, including 25,000 NRWA members that serve populations of 3,300 or fewer. But that's not enough.

“…if we really want to help small utilities defend against cyber threats, we have to close the resource gap. Cybersecurity and operational reliability go hand in hand, and budgets need to reflect this. Budgeting processes need to include cybersecurity needs as baseline requirements and they need to be informed by cyber expertise. And costs for cybersecurity investment need to be recoverable. We can’t make utilities choose between reliability and security. Our communities need both.”

Well said, Rob.

Related WaterISAC posts

• WaterISAC and NRWA Announce Collaborative Effort to Better Serve the Underserved
• Cyber Resilience – Cyber Readiness Institute (CRI) Continues Recruiting Small and Medium-sized Water and Wastewater Utilities for Free Cybersecurity Training
• Cyber Resilience – Recap of Tuesday’s Hearing on Securing Operational Technology in the Water Sector