B. Water Utility Response to Cybersecurity Threats
As hackers become increasingly sophisticated, destructive, and more active, protecting against cyberattacks remains a top priority for public and private water and wastewater systems. For example, on February 5, 2021, a hacker gained access to the water treatment control systems of the municipal water system in Oldsmar, Florida, and attempted to change the water supply’s levels of sodium hydroxide, also known as lye or caustic levels, to dangerous levels.1 According to city officials, a plant operator quickly noticed the breach and returned the sodium hydroxide to normal levels.2 In March 2018, cybercriminals launched a ransomware attack on the city of Atlanta that disrupted the city’s utilities and disabled the Atlanta Department of Watershed Management’s website.3 In another incident, the Lansing Board of Water & Light, a municipally owned public utility in Lansing, Michigan, became the victim of a “sphear-phishing” attack when an employee opened an e-mail attachment and accidentally downloaded malware that shut down the utility’s internal computer system.4 It was reported that the utility paid a ransom of $25,000 in bitcoins to remove the malware.5 And, in January 2021, a cyber attacker attempted to poison a water treatment plant that served parts of the San Francisco Bay by hacking into its computer system and deleting programs used by the plant to treat drinking water.6
These alarming episodes underscore the need to address cybersecurity protections for the country’s water and wastewater systems. While all sectors of the nation’s critical infrastructure are potential cyberattack targets, the water system is particularly vulnerable given its dispersed and fragmented nature—there are approximately 70,000 individual water and wastewater utilities across the country.7 In addition, the water system is primarily managed and operated by a number of municipal and/or private entities, some of which may have outdated information technology equipment and/or limited budgets for cybersecurity programs, unlike the gas and electric sector which is dominated by large for-profit corporations.8 As a result, many small systems, particularly those in rural areas, may lack the resources or knowledge to fully protect themselves against cyberattacks.9
According to the U.S. Environmental Protection Agency (EPA), cyberattacks on water or wastewater utilities can result in significant harm by, for example, (1) upsetting treatment and conveyance processes by opening and closing valves, overriding alarms, or disabling utility equipment; (2) defacing a utility’s website or breaching its email system; (3) stealing customers’ personal information or credit card data; or (4) installing malicious programs like ransomware or viruses that can disable control operations.10 Cybersecurity attacks can compromise a utility’s ability to provide clean and safe water to customers, undermine consumer confidence, cause financial loss, and subject a utility to legal liability.11
In a June 2021 survey of approximately 600 water and wastewater utilities conducted by the Water Information Sharing and Analysis Center, survey respondents identified the following needs to help improve their cybersecurity resilience: (1) training and education specific to the water sector; (2) technical assistance, assessments, and tools; (3) cybersecurity threat information; and (4) federal loans and grants.12 Approximately 23% of responding systems reported that they conducted annual “cybersecurity risk assessments,” defined by the survey as “the process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system,” with 7.61% and 5% of responding systems reporting that they conducted cybersecurity risk assessments quarterly or weekly, respectively.13
Currently, the water sector is not required to comply with specific federal cybersecurity requirements, and many water and wastewater utilities are only required to self-report that they have evaluated their own systems and that they have a response plan.14 Specifically, all water systems voluntarily self-report their cybersecurity protocols to the EPA, which is tasked with overseeing water cybersecurity under Presidential Policy Directive (PPD) 41.15 Pursuant to PPD 41, in the event of a cybersecurity attack against the water sector, the U.S. Department of Homeland Security, through the National Cybersecurity and Communications Integration Center, is the federal lead agency responsible for asset response by providing technical assistance to the affected infrastructures (e.g., water utilities) to protect assets, mitigate vulnerabilities, and reduce impacts.16
Legislators and experts have warned that the nation’s water system is vulnerable to cyberattacks. At a July 21, 2021, hearing of the U.S. Senate Committee on Environment and Public Works on cyber threats to critical infrastructure, Committee Chairman Tom Carper (D-Del.) warned of the “mounting cybersecurity challenges facing our nation’s drinking water and wastewater systems.”17 The Cyberspace Solarium Commission, a non-partisan group founded in 2019 to develop strategies to defend the United States against cyber threats, testified at the hearing that the nation’s water and wastewater utilities were among the most vulnerable components of the nation’s critical infrastructure to cyberattacks.18
On July 28, 2021, President Biden issued a National Security Memorandum entitled “Improving Cybersecurity for Critical Infrastructure Control Systems,” which addresses the cybersecurity of the nation’s critical infrastructure, including the water and wastewater sector (Memorandum).19 The Memorandum establishes an Industrial Control Systems Cybersecurity Initiative (ICS Initiative), “a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems,” whose primary objective is to “facilitat[e] deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks.”20
Under the Memorandum, the U.S. Secretary of Homeland Security, in coordination with the U.S. Secretary of Commerce (through the Director of the National Institute of Standards and Technology), and other agencies, as appropriate, will develop and issue “cybersecurity performance goals for critical infrastructure to further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety.”21 The Memorandum states that the U.S. Secretary of Homeland Security shall issue “preliminary goals for control systems across critical infrastructure sectors no later than September 22, 2021, followed by the issuance of final cross-sector control system goals” by July 28, 2022. Cybersecurity threats in the water and wastewater sectors appear to be increasing, and, as a result, the water and wastewater industry must continue to evolve its cybersecurity standards and protections.
C. Severe Water Shortages in the Western United States Lead to Conservation Measures
The western United States is experiencing extreme drought conditions, and the resulting water shortages are triggering strict conservation measures throughout the region. On May 25, 2021, the water elevation of the Lake Mead reservoir dropped below 1,075 feet, the lowest level that it has reached since the 1930s.22 The U.S. Bureau of Reclamation (UBR), the federal entity responsible for managing water supply in the Colorado River Basin, projects that the reservoir will remain below 1,075 feet for the rest of the year, triggering the first-ever water shortage conditions for the Lower Colorado River Basin, which consists of Southern Nevada, Southern California, and most of Arizona.23 Shortage conditions will result in cuts to the amount of water allocated to the states; Nevada and Arizona will likely see water cuts beginning in 2022.24
In California, fifty of the state’s fifty-eight counties are under a regional drought state of emergency as of July 2021.25 Drought conditions are particularly severe in the Russian River watershed—on May 25, 2021, the State Water Resources Control Board (Board) sent notices of unavailability to water-rights holders in the Russian River watershed, ordering all post-1914 water rights holders to limit or stop their water diversions.26 Subsequent to the notices of unavailability, the Board promulgated emergency regulations allowing it to issue curtailment orders, which require water rights holders to cease diversions.27 Against this backdrop, local and state governments have taken water conservation measures in an attempt to ameliorate the impacts of the drought. The measures, both temporary and permanent, have the potential to transform the future of water use in the region.
1. Mandatory Restrictions on Water Use
On June 7, 2021, the city of Healdsburg, located in the Russian River watershed, announced Stage 3 Water Restrictions in order to maintain enough water supply to sustain public health and safety needs for the remainder of the year.28 The city limited residential customers to a water budget of seventy gallons per person per day in an attempt to reach a system-wide reduction of forty percent.29 In addition, the city prohibited automated irrigation, activities such as washing vehicles, and planting new plants or grass.30 To lessen the impact of the restrictions, the city launched a program in late June to offer free deliveries of recycled treated wastewater to residents for landscaping use.31 As of July 5, 2021, over 450 residents have signed up for the program.32 According to the city, for the week ending July 2, 2021, these measures led to a forty-four percent reduction in water use compared to 2020 usage.33
Other municipalities in the region have severely limited the use of water for landscaping purposes. In California, the city of Sonoma prohibited residential and commercial irrigation except on Mondays and Thursdays from 8 pm to 6 am.34 Residents of Marin County are allowed to use spray irrigation one day a week, and each community in the county has a designated watering day.35 Widespread mandatory restrictions on landscaping use call into question the future of water-consuming grass in the region. Las Vegas, Nevada, has turf limits restricting the amount of grass that can be planted at new properties.36 A number of municipalities already offer rebate programs in the hope that residents will replace grass with drought-tolerant landscaping.37 However, more drastic measures related to landscaping may be required in the future.
2. The End of Nonfunctional Turf?
Some governments are enacting permanent water conservation measures in response to the drought conditions. On June 4, 2021, Nevada Governor Steve Sisolak signed legislation that, on or after January 1, 2027, prohibits the use of Colorado River waters distributed by the Southern Nevada Water Authority38 to irrigate “nonfunctional turf” on any property not zoned exclusively for single-family residences.39 Generally, “nonfunctional turf” includes grass that is purely decorative and not used for recreation.40 Examples include, but are not limited to, grass bordering parking lots, walkways and sidewalks, grass found along streets between the curb and sidewalk, and landscaping at office parks and commercial properties.41 Pursuant to the legislation, the Board of Directors of the Southern Nevada Water Authority will be responsible for drafting the final definition of “nonfunctional turf” and developing a plan that will result in the removal of existing “nonfunctional turf” in the service area of the Authority before December 31, 2026.42 In addition, the legislation creates the Nonfunctional Turf Removal Advisory Committee, which will be comprised of various stakeholders and will advise the Board of Directors on the nonfunctional turf removal plan.43 According to the Southern Nevada Water Authority, there are approximately 5,000 acres of “nonfunctional turf” throughout Southern Nevada that consume about 12 billion gallons of water every year, equal to ten percent of the region’s current allocation from the Colorado River.44 It is estimated that this legislation could result in water savings of 9.5 billion gallons a year.45
As severe drought conditions continue to worsen throughout the western United States, state and local governments will need to consider taking drastic measures to limit water consumption. Considering the mandatory restrictions already implemented and Nevada’s nonfunctional turf bill, it is likely that future regulation will transform the landscape of the region.
Endnotes
1. Andy Greenberg, A Hacker Tried to Poison a Florida City’s Water Supply, Officials Say, Wired (Feb. 8, 2021), https://www.wired.com/story/oldsmar-florida-water-utility-hack.
2. Id.
3. Laila Kearney, Atlanta Takes Down Water Department Website Two Weeks After Cyber Attack, Reuters (Apr. 5, 2018), https://www.reuters.com/article/us-usa-cyber-atlanta-water-idUSKCN1HC2WB.
4. Rebecca Smith, How a U.S. Utility Got Hacked, Wall St. J. (Dec. 30, 2016), https://www.wsj.com/articles/how-a-u-s-utility-got-hacked-1483120856.
5. Id.
6. Kevin Collier, 50,000 Security Disasters Waiting to Happen: The Problem of America’s Water Supplies, NBC News (June 17, 2021), https://www.nbcnews.com/tech/security/hacker-tried-poison-calif-water-supply-was-easy-entering-password-rcna1206.
7. Jim Magill, U.S. Water Supply System Being Targeted by Cybercriminals, Forbes (July 25, 2021), https://www.forbes.com/sites/jimmagill/2021/07/25/us-water-supply-system-being-targeted-by-cybercriminals/?sh=3bcb46ca28e7.
8. See Jule Pattison-Gordon, What Will It Take to Defend Public Water from Cyber Attacks?, Governing (July 27, 2021), https://www.governing.com/security/what-will-it-take-to-defend-public-water-from-cyber-attacks.
9. Id.
10. U.S. EPA, Water Sector Cybersecurity Brief for States, https://www.epa.gov/sites/production/files/2018-06/documents/cybersecurity_guide_for_states_final_0.pdf (last visited Sept. 23, 2021).
11. Id.
12. Water Sector Coordinating Council, Cybersecurity 2021 State of the Sector (June 2021), https://www.waterisac.org/system/files/articles/FINAL_2021_WaterSectorCoordinatingCouncil_Cybersecurity_State_of_the_Industry-17-JUN-2021.pdf.
13. Id.
14. Pattison-Gordon, supra note 8.
15. Presidential Policy Directive 21 (July 26, 2016), https://obamawhitehouse.archives.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states-cyber-incident.
16. Id.
17. Press Release, U.S. Senate Comm. on Env’t & Pub. Works, Chairman Carper’s Opening Statement: Cybersecurity Hearing (July 21, 2021), https://www.epw.senate.gov/public/index.cfm/press-releases-democratic?ID=124873FA-BB9F-4BAA-8DF2-5A282148036E.
18. Id.
19. White House, National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (July 28, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems.
20. Id. The ICS Initiative began in April 2021 with an Electricity Subsector Pilot through which over 150 electric utilities either began deploying or agreed to deploy control system cybersecurity technologies. Press Release, White House, FACT SHEET: Biden Administration Announces Further Actions to Protect U.S. Critical Infrastructure (July 28, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/fact-sheet-biden-administration-announces-further-actions-to-protect-u-s-critical-infrastructure.
21. Id.
22. See U.S. Bureau of Reclamation, Lake Mead Reservoir Elevation (May 25, 2021), https://www.usbr.gov/lc/region/g4000/riverops/HOVR_FB_CurrentYear_Daily.html.
23. U.S. Bureau of Reclamation, News Release, Reclamation Releases Additional 5-Year Projections to Support Drought Response Planning Efforts in the Colorado River Basin (July 8, 2021), https://www.usbr.gov/newsroom/#/news-release/3912.
24. See U.S. Dep’t of Interior, Record of Decision, Colorado River Interim Guidelines for Lower Basin Shortages and the Coordinated Operations for Lake Powell and Lake Mead (Dec. 2007), https://www.usbr.gov/lc/region/g4000/4200Rpts/DecreeRpt/2013/1%202007%20ROD%20Interim%20Guidelines-Shortages-Coordinated%20Operations.pdf; U.S. Bureau of Reclamation, Exhibit 1 to the Lower Basin Drought Contingency Plan Agreement (May 2019), https://www.usbr.gov/dcp/docs/final/Attachment-B-Exhibit-1-LB-Drought-Operations.pdf.
25. Press Release, California Office of Governor, As Drought Conditions Intensify, Governor Newsom Calls on Californians to Take Simple Actions to Conserve Water (July 8, 2021), https://www.gov.ca.gov/2021/07/08/as-drought-conditions-intensify-governor-newsom-calls-on-californians-to-take-simple-actions-to-conserve-water.
26. See Cal. State Water Res. Control Bd., Water Unavailability in the Russian River Watershed (May 25, 2021), https://www.waterboards.ca.gov/drought/north_coast/docs/faq_russian_river_water_unavailability.pdf.
27. See State of California Office of Administrative Law, Notice of Approval of Emergency Regulatory Action (July 12, 2021), https://www.waterboards.ca.gov/drought/russian_river/docs/rr_reg_approval_oal.pdf.
28. City of Healdsburg, Current Drought Information (June 7, 2021), https://ci.healdsburg.ca.us/714/Current-Drought-Information.
29. Id.
30. Id.
31. City of Healdsburg, Recycled Water Delivery (2021), https://ci.healdsburg.ca.us/1022/Recycled-Water-Delivery.
32. Katherine Minkiewicz-Martine, Healdsburg’s Recycled Water Program Is Gaining Popularity, Healdsburg Trib. (July 5, 2021), https://soconews.org/scn_healdsburg/news/healdsburg-s-recycled-water-program-is-gaining-popularity/article_a82259ae-de11-11eb-bba3-e33d28241c30.html.
33. Id.
34. See City of Sonoma, Water Conservation Measures (2021), https://www.sonomacity.org/water-conservation-measures.
35. See Marin Water, Water Use Restrictions (July 2021), https://www.marinwater.org/waterrules.
36. See Las Vegas Valley Water Dist., Drought and Conservation Measures, https://www.lvvwd.com/conservation/measures/index.html (last visited Sept. 23, 2021).
37. See S. Nev. Water Auth., Water Smart Landscapes Rebate, https://www.snwa.com/rebates/wsl/index.html (last visited Sept. 23, 2021); L.A. Cnty. Waterworks Dist., Cash for Grass Rebate Program, https://dpw.lacounty.gov/wwd/web/Conservation/CashForGrass.aspx (last visited Sept. 23, 2021); City of Healdsburg, Water Rebates (2021), https://www.ci.healdsburg.ca.us/723/Water-Rebates.
38. The Southern Nevada Water Authority is responsible for water treatment and delivery, as well as acquiring and managing long-term water resources for Southern Nevada.
39. Nev. Assembl. Bill 356 (chaptered June 4, 2021), https://www.leg.state.nv.us/App/NELIS/REL/81st2021/Bill/7910/Overview.
40. See S. Nev. Water Auth., Frequently Asked Questions, Restricting Outdoor Water Use, https://www.snwa.com/importance-of-conservation/restricting-outdoor-water-use/index.html (last visited Sept. 23, 2021).
41. Id.
42. Nev. Assemb. Bill 356.
43. Id.
44. See S. Nev. Water Auth., supra note 40.
45. Id.