Water Data Forum: Cybersecurity in Small & Rural Water Systems

[00:00:00] Max Herzog: Welcome everyone to Water Data Forum. is the first session for this year, a series co-presented by Cleveland Water Alliance, the Water Environment Federation and CUAHSI. Generally this session or this series is focused on demystifying topics and water data. Addressing a variety of different topics just through the lens of water and data.

[00:00:36] Max Herzog: And today's session is gonna be focused on cybersecurity and small and rural water systems. Before we get started, just a piece of housekeeping. We will have some time at the end to answer audience questions and we ask that you please drop those in the Q&A function in the toolbar at the bottom that is different from the chat.

[00:01:01] Max Herzog: the Q&A will also let our panelists respond via text to your questions, throughout if they have time or have answers. and so we will go to that Q&A first before questions in the chat at the end. So please try and drop your questions there. My name is Max Herzog. I'm Deputy Director of Programs and partnerships with Cleveland Water Alliance.

[00:01:23] Max Herzog: We're a nonprofit, innovation agency based in northeast Ohio, but working across Lake Erie, the Great Lakes region, as well as the state of Ohio. And we're really excited here to have an excellent panel of speakers today to dive into this topic of cybersecurity in small and rural water systems.

[00:01:44] Max Herzog: First up we have Abhishek Sharda. He's a director with Brown and Caldwell. We have Tony Collins, our Region five Cybersecurity State Coordinator with the Cybersecurity and Infrastructure Security Agency, or CISA, and then we have Doug Short, the Chief Innovation Officer with Trinity River Water Authority of Texas.

[00:02:06] Max Herzog: thanks so much for joining us today. Y'all, I really appreciate you contributing to this conversation. So we can go ahead and dive into the conversation. Again, we'll have a few kind of pre-programmed questions here, and then some time for audience Q&A at the end. And just to kick things off and kind of start to paint a picture of the landscape here, I'm wondering if each of you could speak to your perspective on the role of cybersecurity in the operations of small and rural.

[00:02:37] Max Herzog: Water and wastewater systems. What does the landscape look like today? And, and give us a sense of how your work in particular factors into that landscape. And I think if we could start with Tony, that'd be great.

[00:02:49] Tony Collins: Sure. Hi everyone. Thanks Max. CISA is a federal agency. We're an agency under the umbrella of the Department of Homeland Security.

[00:03:01] Tony Collins: We were the newest agency for the federal government. We were established in 2018, and we fit into the proactive side of cybersecurity for the most part. We do deal with some incident response and that kinda stuff as well. We can't help with that, but predominantly we're focused on proactive cybersecurity.

[00:03:25] Tony Collins: Our job, my job, my role, my mission is I work in the field as we call it, or the integration integrated operations division of, of CISA. And we have both cybersecurity and physical security advisors throughout the country that work with organizations both private and public, across all areas of critical infrastructure.

[00:03:53] Tony Collins: So, related to this topic with water, we work with organizations both on their IT cybersecurity and their OT cybersecurity on the threat landscape. No one's safe if you're connected in any way to the internet, you're at risk. whether it's nation-state actors or cyber criminals, that they all want your information, they all have different.

[00:04:22] Tony Collins: Reasons for wanting to attack you, but you are a target, so it's important to be proactive in your cybersecurity. The, the best defenses is to the, the objective is to keep them out of your environment. You want to fight that outside your environment as opposed to fighting it inside your environment.

[00:04:44] Tony Collins: It's a whole different. There's a no-win situation. There's cybersecurity being proactive. I can't say enough about it. That's where you should spend your money. There is no perfect cybersecurity, so we do need to plan for issues that could happen, but being proactive. It is key. So from A CISA standpoint, we, again, we are a federal government agency, but I want to point this out to you and make it very clear.

[00:05:11] Tony Collins: We are not regulatory. We do not come in and audit you and then tell the federal government what you're doing or what you're not doing, that's not our goal. Our goal is to help you to be better at cybersecurity. All of our resources are at no cost to you. You've already paid for it. I like to use the term prepaid, so if you have advisors come out and sit with you and talk about cybersecurity.

[00:05:38] Tony Collins: to help you be better at your cybersecurity, improve your cybersecurity posture. That, again, is at no cost to you whatsoever. Same thing on the physical side as well. We offer vulnerability scanning of your public facing assets, your web application. We have tools that you can install in your OT environments to help you look for anomalies and that type of stuff.

[00:06:04] Tony Collins: and again, and then risk assessments to assess your risk posture again, that's an assessment for you, for your benefit, not an audit that we are going to give to some other federal organization. but that's kind of where we fit into the whole picture max.

[00:06:28] Max Herzog: Thanks so much, Tony. Appreciate kind of that high level framing and also just a sense of the variety of resources that CISA, and others have to offer.

[00:06:37] Max Herzog: I'm wondering, Doug, you know, from your perspective as an asset owner, how the conversation looks a little different, or just your perspective to bring, to, again, that role of cybersecurity and the operation of small and rural water systems, and just how your work factors in as well.

[00:06:53] Doug Short: Sure. Absolutely.

[00:06:54] Doug Short: So, as you mentioned, at Trinity River Authority, we own and operate our own water wastewater treatment facilities. We operate as a regional supplier, so our contract customers are cities. Or, other contracts such as DFW, airport, et cetera, that we provide services for. So in total we've got about two and a half million end users that we provide services for, across the 18,000 Mile Trinity River Basin.

[00:07:24] Doug Short: And if you think of the basin including both The Dallas-Fort Worth area and the Houston Metropolitan area. about half the population of the state of Texas. So about, 14 million people depend on the Trinity River and our ability to keep that as a resource for Texans as a safe water source.

[00:07:45] Doug Short: So, very important to what we do. We are also a customer of CISA. so we appreciate all those benefits that CISA gives us, and we do take advantage of some of them. So as the asset owner and as the CIO for Trinity River Authority, I'm responsible for the technology and cybersecurity for nine different water wastewater treatment plants.

[00:08:06] Doug Short: And they go from very small to very large. So our smallest plant is about 1 million gallons a day. Our largest plant is about 189 million gallons a day throughput. So you can see we go from - we have very different challenges at the different areas, and we also exist in large metropolitan areas like DFW and in very small areas in Trinity County, Texas, or in Livingston, Texas, where we have many fewer

[00:08:35] Doug Short: Folks. So through Texas AWWA and Texas Rural Water Association. I also get to interact a lot and share what we have learned at TRA with those small and rural customers, throughout Texas. So we are a large organization. I've got about 500 employees at TRA, I've got about 25 people on my IT and cybersecurity staff.

[00:09:00] Doug Short: we also do operational technology in the plants as well. But as a large organization, we have funding. So we have resources. I can hire people internally, to meet our cybersecurity and technology needs across Texas. We've got about 8,000 small water utilities. They don't have that benefit. Many of them are forced to operate on their own with very little access to IT, OT and cybersecurity expertise.

[00:09:28] Doug Short: And they're facing the same threats that we do on a day-to-day basis, as Tony pointed out, right? But they have a lot of limitations, which make it challenging to consider doing much more than just maintaining operations and making sure that they get a clean product out to their customer. Whether it be drinking water or on the wastewater side, that is going back into the environment.

[00:09:51] Doug Short: So while they have a very heavy reliance on contract support, engineering firms, et cetera, I think many times one of the biggest issues that they face is there's this assumption that their contract partners are all performing cybersecurity for them. Right? And we know if it's not written in that contract.

[00:10:10] Doug Short: It's not gonna happen because there's just a cost basis that the contractors, you know, have to get paid for their services. So they have a very high risk in small and rural, and a lot of times they don't realize the risk that they're facing. So this is a great forum. Thank you for having me on. And, and happy to share our experience with small and rural to hopefully make for a better environment across the water sector.

[00:10:38] Max Herzog: Thanks very much Doug. Yeah, and I think great, segue over to Abhishek, you know, as a private sector consultant that works with a lot of different utilities to implement all kinds of different projects, including. cybersecurity and IT and OT. Wondering if you could share a little perspective on what the landscape looks like for small and rural utilities.

[00:10:58] Abhishek Sharda: Yeah, thank you Max. And, you know, great segue, you know, we, we kind of, at Brown and Caldwell, as an environmental engineering firm, we kind of act as the bridge, right? We wanna make sure, you know, utility partners like, the Trinity Water with Doug, Doug and leads and with the availability of resources at the federal level.

[00:11:17] Abhishek Sharda: How do we bridge the gap? you know, the fact– the crux of the matter remains that a lot of the OT and IT functions, to a large extent, are voluntary. You know, good practices, best practices are, are almost self-imposed. to a large extent. Organizational structures play a big role.

[00:11:39] Abhishek Sharda: You know, as Doug was mentioning, you know, the fact that he has oversight on both the OT and IT side, gives him a unique advantage, right? With smaller utilities, that may or may not be the case, right? They may, may have partnerships, which are unique for the OT side. They may have partnerships which are unique for the IT side, and that puts them in a bind.

[00:12:01] Abhishek Sharda: However, with the digital environment, there is no robust solution, which is without an OT/IT combined package. You know, one of the practices at Brown and Caldwell as an environmental engineering firm is, you know, we don't put the onus on the owners. We do what is called security by design.

[00:12:24] Abhishek Sharda: more and more engineering practices are leading towards that direction, which is let cybersecurity not be an afterthought. as you are looking at the life cycle of placing new assets into the environment, you start considering the design practices right out of the gate, therefore, you know, following, you know, CIE guidelines from a cyber informed engineering initiative that was done by Idaho National Labs, under the Department of Energies Initiative, there is, there's robust guidance that is available that's small and rural utilities, you know, have access to.

[00:12:59] Abhishek Sharda: But always the question remains: where do you start from? What's the starting point? And  I always, probably chime with Tony, as you said earlier. There is no good starting point. Anytime you start at a good point, throughout the life cycle, whether you can do it at the beginning of your project that you're, you know, kind of conceptualizing things to when you have placed an asset in your environment.

[00:13:22] Abhishek Sharda: small, you know, another unique, you know, tenet that I wanna kind of share with all of us that a lot of times, you know, we associate small and rural, with the number of people they serve. But in terms of physical geography, they are pretty large. They actually, you know, have large swaths of land.

[00:13:43] Abhishek Sharda: You know, just because their density is not like a, like a major metropolitan area, that does not mean that they are, they're not actually, you know. Serving a lot of customers, their volume is lesser, but the landscape that they occupy is massive. so the water resources that are under their nose, they are equally critical because of just the physical size that those utilities, you know, have to serve and serve under.

[00:14:14] Max Herzog: Thank you. great. kind of just a general overview of the landscape from y'all as well as, you know, a bit more on, on each of your organization's role in that landscape. I want to now turn to just a sense of the limitations, the risks and barriers that, that currently limit the potential of, of cybersecurity, implementation.

[00:14:37] Max Herzog: For water and wastewater systems, and specifically how it looks different for small and rural systems. I know we started to touch on this a bit, but Doug, maybe if you could expand a bit on some of the barriers, the risks and the limitations in this space.

[00:14:54] Doug Short: Sure. Thanks, Max. So, you know, I've been in, I've only been in the water industry for about 11 years now.

[00:15:01] Doug Short: Right. So, here in Texas, that's a very junior person. We've got people that have been in the industry 30, 40, 50 years, that are kind of, kind of running a lot of our facilities. and when I got here 11 years ago, I was hired mainly because of a cybersecurity background that I had. and I've started doing a lot of speaking.

[00:15:21] Doug Short: But as I go out. There's still this mindset out there, especially among some of the smaller and rural facilities that we're too small and we wouldn't be a target. I mean, I know Tony could tell you a thousand stories about how small and rural is not really a consideration, right? So you may not be targeted by a nation state actor, but you will be targeted by those people who would want to ransomware your facilities just for money or for criminal activity, and you can be a target of opportunity as well.

[00:15:54] Doug Short: Which is if somebody's out there and does a showdown or a sense of scan and sees that your assets are out there, connected to the internet and available, then they can easily target you and, in the nation state side of things, they may just want to hold that access, learn on, learn from your systems, how systems in the water sector work, et cetera.

[00:16:16] Doug Short: Or they may. want to just sit there in case at some point they ever want to cause a disruption to the United States and have us focus on something other than what they want to accomplish elsewhere in the world. So that actual mindset, which we still run into today, is really, a high risk and it leads to a lot of times people ignoring vulnerabilities that they have within their systems, right?

[00:16:45] Doug Short: So. We're seeing a much larger frequency of attacks. We're seeing nation state attacks focus on the water sector more today than they had in the past. And as Abhishek mentioned earlier, just from, especially here in Texas, right, so some of our small and rural water systems are very spread out. You have to have remote access to be able to facilitate the operation of your systems.

[00:17:11] Doug Short: Right? And that brings up additional vulnerabilities. And when those utilities that are small and rural have basically no IT/OT or cybersecurity expertise, it's very hard for them to prioritize within the contracting process or within the funding process, within their boards, their city councils, and their leadership, the expense.

[00:17:39] Doug Short: Of cybersecurity. So it's hard for them to, to, if, if you don't have a good understanding of cybersecurity, how do you justify to your board the expense of that, going forward? So that's one of the things that I think is very important. And people like Tony and Abha, if you have good vendors and good contractors, they can definitely help you with that, right?

[00:18:01] Doug Short: You don't have to know it all yourself, so. If you aren't able to then get the funding, et cetera, then you're gonna have vulnerabilities within your system. And those vulnerabilities in the worst case, could just lead to interruption of service for your customers. And while, as Abhishek pointed out rightly, right, you may not have a million customers in your system, the 10,000 customers still rely on you for the water needs or the downstream effects of if you don't clean wastewater properly and put it.

[00:18:35] Doug Short: Back into the environment. So everybody's on a cybersecurity journey. There's a lot of basic steps that you can take, right? It's not hopeless. If you can do a few things really well, you'll deter the majority of the attacks that you have out there. and there are a lot of resources out there. In fact, AWWA, just in the last few days, published updated cybersecurity guidance and an updated assessment tool.

[00:19:01] Doug Short: The focus for that was to lay out more of a roadmap. So if you have done nothing, start here and it goes through some of those basic steps that you should accomplish. And then there's a phase two, which builds on that, and a phase three, which builds on that as you go down that maturity journey.

[00:19:16] Doug Short: Throughout there. So if you haven't already started, or if you're somewhere in the journey, the AWWA tool might be a good thing for you to use as a reference. CISA has a ton of resources available out there as well. Most of them have already been paid for by the taxpayer, so they're free to us. So if you haven't done anything, you should start doing something.

[00:19:37] Doug Short: And if you have, just try to do something different tomorrow. Keep moving down that road to improvement.

[00:19:44] Max Herzog: Thank you, Doug. Yeah. Abhishek as kind of, again, you know, a firm that helps a lot of utilities move down this road. I'm curious about your perspective on some of those, again, risks, barriers and limitations, as well as maybe some of the resources you're seeing folks tap into to address them.

[00:20:02] Abhishek Sharda: You know, probably lean into more on, you know, self governance there. Right. With smaller utilities, largely, you know, the, the question starts with what are the resources they currently have? Right? Is it, is it a couple guys in a truck driving around? You know, the complete landscape, or the perimeter of the really trying to do their best.

[00:20:23] Abhishek Sharda: And then what does best look like for them? Is it just making sure that, the lights are on? or is it making sure that anything with blinky lights on it, as I call it, it, it's still functioning right, and it's still kind of, kind of live and, you know, it's, you know, it's not behaving funny.

[00:20:40] Abhishek Sharda: a lot of those, those, pieces are basically. Going back to how the utility chooses to. Have, it's not been surprising for us to even find small utilities, not even completing the basic via assessments, which are, you know, a basic, you know, nine, 10 page questionnaire, nine, sorry, nine, 10 questions questionnaire.

[00:21:02] Abhishek Sharda: but plenty of support. Those kinds of smaller activities can be accomplished. But again, To be fair to them, they don't know whom to rely on. They don't know where to start from, and that kind of, just kind of exponentially increases their risk, because the risk is not just because of their assets risk because.

[00:21:21] Abhishek Sharda: Them not knowing what kind of resources they do have access to. And that's where, you know, you know, we have been trying to monitor and, you know, help them with ensuring that, you know, those prepaid resources that Tony talked to us about through CISA and other agencies are available to them. And they are, uh.

[00:21:42] Abhishek Sharda: Those are not resources that will put them in a disposition where they will be challenged on where they are, but really help them solidify their overall cybersecurity posture. You know, giving them access to training programs and resources. Sometimes it's as simple as just pointing them in the right direction.

[00:22:02] Abhishek Sharda: I think some of that behavioral change. They'll, they'll slowly start impacting and seeing its way to trickle, trickling down to, to from larger to smaller utilities. And thanks to folks like Doug who are going there speaking and, you know, and educating, you know, the, the larger community, the, the ownership would, kind of increase in terms of not just the awareness, but how they can use that awareness to make decisions and govern their environments.

[00:22:32] Max Herzog: Thanks Abhishek. Really helpful and, and I think painting the picture again of some of the roadblocks, stumbling points, but also the fact that there are so many resources available and, and sometimes it's just bridging that gap of, of awareness, of and capacity to engage. I wanna turn out to our last question, but before diving in, I wanna remind our audience that if you do have questions that come up for you throughout this conversation, please feel free to be dropping them in the Q&A section as we go.

[00:23:04] Max Herzog: We will have some time at the end to address them, so, please do feel free to drop those questions in. So just for our last, you know, curated question here, I'm curious, For you all, what do you see as, as the future of cybersecurity in, in small and rural water systems? What, what could, for example, successful scaled implementation of this technology look like?

[00:23:29] Max Herzog: And then what could it enable? but also what negative outcomes could materialize if risks are not adequately address. I know we started to touch on this, but just to develop that out a little more. Abashak, I think we can start with you here.

[00:23:44] Abhishek Sharda: Yep. You know, you know, kind of just kind of connecting the dots from, my last response, Mike, you know, behavioral change is important, right?

[00:23:50] Abhishek Sharda: I like to get the anecdote of seatbelts, right? 19, late 1960s was when the seatbelt law actually came out, you know, but you know, seatbelts were available before that. you know, now, you know, most of us don't even think twice before we strap on our seatbelts. When we hop in the car, it's a behavioral change, right?

[00:24:11] Abhishek Sharda: I think that's what we need for all of us in the water community, is to start looking at our assets. Throughout their lifecycle from the time we think about them to the time we deploy them, you know, to the time we actually start, you know, putting them in service and then how we maintain them into the end of the lifecycle, which is like, how do we, you know, unplug them from our environment and update them or upgrade them.

[00:24:33] Abhishek Sharda: It's a full 360 circle that needs to be managed and that's a behavioral change. You know, another, carrot that, you know, a lot of the states, you know, for example, the state of Idaho's, DEQ is giving a higher SRF scoring, which is state revolving fund scoring to, you know, pro projects and partnerships, which actually have CIE cyber informed engineering baked into their designs.

[00:25:02] Abhishek Sharda: Now, that's a great carrot, right? So if you wanna get funding for your program or your project, you know. That's a good lever to pull, right? There's an economic lever. That's a huge advantage if you have done good cybersecurity, you know, design practices into your, into your projects. That's, that's huge, right?

[00:25:19] Abhishek Sharda: I mean, that helps you get a higher ranking. Make sure your funding is there, you know, so, so while those things are all kind of happening, eventually it'll come down to how we change the behavior and these are all components or. Ideas, which will help change the behavior being, whether that's financial levers or whether that's, that's imposing regulatory requirements, right?

[00:25:42] Abhishek Sharda: So as small utilities go back to renewing their licenses, you know, AWWA is gonna go back and say, Hey, we need you to fit this assessment and look at your cybersecurity posture. Make us aware so that future programs can be put into place, which actually help them move in the right direction on their maturity curve.

[00:26:03] Abhishek Sharda: But the whole goal is we've all gotta start somewhere.

[00:26:08] Max Herzog: Yeah, absolutely. And I, I love too that idea of, and it sounds like what, what the state of Idaho is doing of incorporating cyber requirements into funding, it sort of passes, takes that same approach of, you know, encouraging utilities to incorporate cyber into their RFPs so that it, you know, the consulting companies are required to incorporate that element, but taking it up to that next level of, of requiring utilities to, build that in, to access the funding that they need.

[00:26:33] Max Herzog: Tony, I'd love to get your thoughts. You know, again, really having this high level view of, of the cybersecurity state of the sector in the US. What do you see as the future here and, and where are we headed?

[00:26:48] Tony Collins: Oh, the scary part, right? So the future's here. Welcome to the future. So, Doug touched on this a little bit, but we have an article, white paper, that you can go to CISA.gov and download it.

[00:27:01] Tony Collins: It's very good. On Volt Typhoon Volt Typhoon is the People's Republic of China, the PRC state sponsored actor group, that we've identified in our critical infrastructure over the last couple years. So they are setting a persistence within our environments, the communications, the water sector.

[00:27:32] Tony Collins: The internet sector, I guess that would fall into communications, but why? Right. They're not doing ransomware. They're not stealing secrets. Their intent is to set that persistence, as Doug mentioned earlier, so that if they ever need it, they've got it. They've got that foothold if they ever need it. This is very similar to the last two.

[00:27:57] Tony Collins: Events that happened between Russia and the Ukraine started with this same type of activity. The Russians got into the Ukrainian infrastructure and basically shut down the power before they attacked. So that's kind of scary. to me. You know, we, in the United States, I believe are a little spoiled when we go and turn on the water.

[00:28:25] Tony Collins: We get water, we get nice, clean, drinkable water for most, for most people. And, and we kind of take that for granted. So what if you went and you turned on the faucet? Nothing came out. Not a good situation. So AI, we all hear about AI. Every day. AI is also in the cyber world, both on the good side and on the bad side.

[00:28:50] Tony Collins: So just like the internet, right? We connected the world at the speed of light. Now with the internet, and the bad guys can take advantage of, and they can attack you from anywhere in the world at the speed of light. They have, I guarantee you, state sponsored actors have more resources than you could ever dream of.

[00:29:09] Tony Collins: And not just cyber resources, not just IT resources. They have psychologists, they have psychiatrists. I. On working for them and their organizations. It's, it's not fair, right? but we still have to try to do our best to defend ourselves. So AI's come into the picture. We've identified a new GPT agent on the dark web now called GhostGPT.

[00:29:36] Tony Collins: This came out, earlier in the year, I think it was February, January, February, is identified and what go, so in the past to perform a cyber attack, you, you know, created the phishing emails. You had to create some kind of payload or malicious link that you either got somebody to click on or download something to get into your environment.

[00:29:59] Tony Collins: Well, you had to have some, a little bit of talent, let's say, to pull off these kinds of attacks, to be successful at doing this right. Now you can just go out to the dark web on the GhostGPT and rent this. I can go out and say, Hey, as a novice, right, or as an experience, whatever I wanna be, I create an attack for a small water plant in rural

[00:30:27] Tony Collins: North America, United States, create a phishing campaign, create a phishing email for me. Create a malicious link, create a payload, whatever the case may be. Create this attack for me and gimme all this information, and then gimme the instructions on how to execute it. So basically you have to have no experience to do this other than GPT experience, right?

[00:30:50] Tony Collins: And so it's here, it's now this is going to increase. The number of people that choose to, whether just for fun, whether they're cyber criminals looking for a payout or nation states, if they have the skills, it just makes 'em more powerful, and more productive in doing this kind of thing. So as far as the cybersecurity standpoint, you know, don't throw your hands up and say, I quit.

[00:31:17] Tony Collins: Right? That's not what we want to do. We want to still be proactive in our cybersecurity. Hey, I'm just checking. Okay. I thought the screen kind of froze, so I just wanted to make sure that we were still connected. So start with the basics. Create a plan, right? Do the basics. Your number one attack vector for most of you is still going to be phishing.

[00:31:40] Tony Collins: Why? 'cause it works 90% of all breaches in the IT environment start with a phishing campaign. Right. People still click on links. That it, it's, you know, we're still gonna win that contest we never entered, we're still going to open that invoice for the Amazon package that we never ordered. Right.

[00:32:03] Tony Collins: we need to be better at proactive phishing training. It, it's, it's a must, assets on public, public facing devices that have vulnerabilities. Those, those are going to be exploited. as Doug mentioned with your census and your showed dance, they're gonna find those. Anybody can use those products to scan the internet and, and find those vulnerabilities.

[00:32:31] Tony Collins: We need to find those vulnerabilities and patch those vulnerabilities, remediate the issue before the bad guys do that. so just the basics, the scanning, long passwords, the MFA. phishing, the basics will take you a long way in your cybersecurity posture. There's a reason why you hear about this over and over and over and over, right?

[00:32:59] Tony Collins: Do better at teaching people about phishing because we're not doing well. It's still, you know, like I said, number one, attack vector. There's no perfect cybersecurity. I. We shouldn't kid ourselves. So we need to be proactive in our cybersecurity, especially with incidents, right? We need to plan and have, for incidents for the bad things to happen, we need to have an incident response, plan for both IT and OT.

[00:33:36] Tony Collins: We need to test those plans yearly. We need to constantly improve those plans. Vulnerability assessments. Again, these are free assessments. We can do vulnerability scanning on your ips, on your web applications. Listen, I used to run a cybersecurity organization for the state of Illinois, and we're all strapped at whether you're public or private, we're all strapped for, for resources.

[00:34:05] Tony Collins: Where do we spend our resources? Use your prepaid resources. You already, you already paid for this through your tax dollars. Use those resources. They're available to you. Reach out to your cybersecurity advisors. That's what we're here for. We're here to help you. Again, prepaid to help you. I can't do what Abhishek does.

[00:34:30] Tony Collins: I can't do what Doug does. Right. But I can help you plan and connect with the right resources to improve your cybersecurity posture, like the consequences in water. This was an eye-opener for me. I, I just, I guess I was spoiled and I never realized it until I got into work with the water sector is that we, we take it for granted, right?

[00:34:55] Tony Collins: When the electricity goes out, oh, the electricity's gonna go on, right? we get out the flashlights, the lanterns or whatever, but whether it's a natural disaster, a big storm, or tornado, or a cyber attack, when the water goes out, what's the first thing hospitals do? They start moving patients. There's a tornado and it affects the critical infrastructure in an organization or our community.

[00:35:25] Tony Collins: What's the first thing we start pushing in? Water? Water is so important and we take it for granted. If that's, if there is no water, what if the worst case scenario, they start tampering with the chemicals, to, You know, clean the water, they start tampering with those chemicals and people start drinking that stuff.

[00:35:50] Tony Collins: That's a terrible situation to even think about. But we have to be prepared. We have to do our best. The resources for critical infrastructure, for the most part, are run by private organizations, not the federal government, right. We need to do our best job as citizens to protect those resources that organize or that people, our citizens across the country rely on those on a day-to-day basis.

[00:36:25] Tony Collins: Water being a key resource. Thanks, Matt.

[00:36:31] Max Herzog: Thank you, Tony. Yeah, I know. dire words for sure, but, really important I think for us to be considering. Seriously, you know, this is clearly a new front in the work to ensure that we really have resilient communities in the future. This kind of readiness is so critical for everyone to be considering and thinking about the vulnerabilities, particularly of those, you know, rural and smaller systems that are under-resourced, undereducated.

[00:37:00] Max Herzog: you know, hopefully communicating about some of the resources that have been shared here today, a lot of which are freely available, can help folks start down that road, and get that kind of minimum viable product in place that can really mitigate significant risk. Thanks again so much to our panelists for this conversation.

[00:37:19] Max Herzog: We do have a couple of questions here in the Q&A and encourage other folks to drop more if they do have some. First up from Mark, he's curious, how do we strike a balance between the benefits of sharing data among water utilities to learn from each other and work better together with the need to maintain data security?

[00:37:42] Max Herzog: I. I wonder maybe Doug managing multiple plants, if you might have some perspective on that, but then happy to have other folks jump in as well, if you have thoughts.

[00:37:51] Doug Short: Yeah, sure. So I, I know, prior, prior to being at, at TRA, I was in DOD, so I worked information sharing at the DOD. The whole government level in DC and I mean, it's a horribly difficult problem.

[00:38:07] Doug Short: Seems really easy. All you have to do is talk to each other, right? But you have to overcome cultural barriers, et cetera. and you know, I, that was, 13 years ago. I know they're still working on it today, right? How do we do that? How do we do that better? There's a lot of things that the government has put in place.

[00:38:25] Doug Short: I mean, you have protected reporting. You can report to CISA, all those reports would be anonymized. You can report to the water ISAC if something happens. Those reports are anonymized if you, unless you want to make them public. At many of our conferences now, I think we're overcoming some of those cultural barriers.

[00:38:46] Doug Short: So we'll see people who get up and will actually share many of the details of how an attack happened. To their utility and how they were able to respond, what was effective, what wasn't effective, what they wish they would've done earlier, what they wish they would've done later. So I think the community itself is opening up, which is great.

[00:39:07] Doug Short: but. You have to overcome that fear first, right? So as an asset owner, I have to make sure that if I call Tony for help, that Tony, the next thing, I'm not gonna be on 60 Minutes, right? sitting there trying to answer questions or pulled up for a press conference somewhere else because all the details were given out.

[00:39:29] Doug Short: And there are safeguards in place. There's critical infrastructure, information protection. the federal government, the FBI. the state, the majority in Texas, the state organizations have protected reporting as well. So we're able to get around a lot of that. I think the first thing you have to do is overcome that fear.

[00:39:50] Doug Short: A lot of that happens from getting to know people like Tony, right? So when you go out, or if you are putting on a conference somewhere or just wanna get in touch with the folks who are gonna be able to help you reach out to your FBI office, your local FBI office. If you're in a large organization.

[00:40:11] Doug Short: They have cybersecurity assets, in most of those FBI offices. Now, reach out to them, become a member of FBI's Infra guard, reach out to your CISA state, cybersecurity advisors. We have folks here in Texas that I probably see four or five times a year. At the different conferences, and they're there to advertise their resources, get to know you, make sure that you're okay with contacting 'em when you have a problem.

[00:40:41] Doug Short: So part of that key is, as Tony mentioned, you need to have incident response plans. You need to have all those contacts in your incident response plans, and don't wait until an incident happens to get to know those people that are gonna respond much better to get to know them, exercise with them. CISA will, at least in our case, CISA will come out and help walk through your exercise and your incident response plans.

[00:41:07] Doug Short: They have pre-formatted exercises that you can pull down off the internet. You can get help to run those FBI will talk to you, your local law enforcement. You should be able to contact. The last thing you want is for when you have a major incident happen. You don't want it to be a pickup basketball game, right?

[00:41:26] Doug Short: Where everybody's just not used to working together. So make sure that the biggest thing is overcoming the culture and the fear of actually reporting and get to know the folks around you.

[00:41:41] Max Herzog: Thanks, Doug. Great insight. Any other thoughts on striking that balance between data sharing and, and data security?

[00:41:49] Abhishek Sharda: I always, just quickly I add onto that, Max. I think, you know, a lot of times, we talk to utility owners, and they say they’re air gapped, right? or, and, I I can, I can tell you, you know, I, I get a chuckle in my, I don't show it, but I get it because I, it is really hard to air gap systems the way everything is connected right now.

[00:42:10] Abhishek Sharda: We may try, air gapping is not a solution, and, and Mark rightly asked that question, right, is like. Data sharing is not an option. Data sharing is going to happen. you know, data itself lacks definition, you know, for, you know, if I think as an engineer, I mean, you know, what is data in the water space, and I say everything is data.

[00:42:32] Abhishek Sharda: Anything that moves in bits and bytes is data. That's how it should be treated. You know, there, there is the balance, you know, as, as Doug rightly said, is, is, is making sure you're ready for when you are under. You know, kind of a vulnerable situation or when you are in distress, you know, you, you build those practices and those processes and, and you follow the data transmission practices and, and, be fully aware that there may be that, that IOO and a chance that you have not tested your system for a particular vulnerability and you would be put under duress.

[00:43:08] Abhishek Sharda: but, I think that data sharing only helps us all when we communalized our, our data for better operations and learn from each other, whether that's when they're becoming under attack or whether we are, you know, you know, using data to improve operations. I think, that, that helps everybody all around and, and we should all be confident that we do have resources and infrastructure, you know, with the agencies and with, you know, engineering partners, who now deeply understand this need, and can help.

[00:43:43] Max Herzog: Thanks, Abhishek. Oh yeah, please, Tony.

[00:43:46] Tony Collins: I, I just want to add on a couple things. So I wanna reemphasize what Doug talked about with the ISAC. Those ISAC are a great resource. I, I can't say enough good things about the different ISAC and along with CISA and the federal government, we work very closely with the EPA, and we also work very closely with the AWWA.

[00:44:09] Tony Collins: So there are lots of resources available to you out there. What I, what I wanted to share about. Reporting incidences and sharing data. I've been doing it for 40 years and cybersecurity for 10 years, and I know about this much what's out there, right? There are no experts. There are a lot of people that know a lot more than I do, but do not be afraid to share.

[00:44:42] Tony Collins: The way we all learn is by sharing, and we all start at the same spot. We all start, whether it's IT or cybersecurity journey, we all start at the same spot at the beginning, right? And somebody taught us, and somebody will teach you, and you will teach somebody. That's the way it works. But the only way that works is by talking, by sharing, by going to these conferences.

[00:45:09] Tony Collins: when we look at, especially on the ransomware side, it's a billion dollar industry, right? For the cyber criminals, that's only half, probably less than half of the cyber ransomware events are ever reported. Work with the FBI that that's a cyber attack on your organization. Whether it's successful or not is a crime in this country, report those crimes to the FBI.

[00:45:38] Tony Collins: If it's happening to you, it's probably happening to somebody else, so being more open. Being willing to share, Billy being willing to say it's okay in, in it, in cybersecurity, it's okay to say I need help. It's okay to say, I don't know. Right. We were all, were there and, and like I said, with AI, we're, we're all there again.

[00:45:59] Tony Collins: So, where's it going to go? I don't know. But, but we all, as a country working together will be better.

[00:46:14] Max Herzog: Thank you. Thank you Tony. So a next question here from Nicole. It feels like we're on a collision course with increasing cybersecurity needs while our current water workforce prepares to retire. What are your thoughts on training the water workforce of the future so that they come to work on day one, understanding cybersecurity needs?

[00:46:35] Max Herzog: Anyone have thoughts on that?

[00:46:39] Abhishek Sharda: I can quickly, you know, share, you know, some of the things that are already ongoing. You know, as one of the, you know, contributors to the cyber informed engineering guidance that was published by Idaho National Labs, under the initiative, from DOE. The adoption has been the penetration of that guidance into the core curriculum.

[00:47:05] Abhishek Sharda: So there are universities and colleges that are looking at that CIE guidance and saying, Hey, how do we put that as part of the curriculum of the engineers or the, you know, the, technologists that they're training in those realms. I fully agree. You know, understand Nicole's question. It is a work in progress.

[00:47:29] Abhishek Sharda: but I think, the fact of the matter remains that, that the fact that we are looking ahead and already looking at means of. Not just putting a guidance on a shelf, but taking it to adoption with educators and furthering it to like, you know, you know, licensure community. So NCES that conducts the Board of engineers licensure testing, is soliciting inputs on, you know, how do they make sure the engineers.

[00:48:03] Abhishek Sharda: Now have fundamental understanding of cybersecurity and are able to, again, go back to secure by design. It is a generational question. You know, I don't know. Any of us will have a simple answer, I think, but I think, you know, I'm just giving some examples of how adoption is happening through different kinds of vehicles.

[00:48:24] Max Herzog: Thanks, Abhishek. Any other thoughts on the kind of nexus of workforce and, and cybersecurity here in water? Tony.

[00:48:35] Tony Collins: Yeah. Thank you. So if, if it hasn't become apparent, I'm kind of a cheap person, right? So I always look at the free stuff first. If, if you go out on the internet and you Google Cybersecurity, if you Google AI, you are going to find, if you Google Cyber OT cybersecurity, you are going to find classes.

[00:49:01] Tony Collins: At no cost to you, right? That is a great place to start. go to CISA.gov and you look for education or training. We have classes there as well that you can leverage. We have, on the OT side, we leverage the Idaho National Labs does classes, Doug mentioned that earlier. The courses that start with basic OT cybersecurity all the way to a hands-on, you are defending a mock environment real time and you're being attacked.

[00:49:41] Tony Collins: So again, those other than the transportation to that last class and, and some of those are even, they, they, they have a. Anyway, the transportation to Idaho to take that class, we don't pay for that, but the class itself would be free. But they also have started those on the road show, so check again with your cybersecurity advisors in your state or region, and they can put you in contact with, with maybe one of those road shows that I know we had one, in St.

[00:50:11] Tony Collins: Louis recently, and it was a great opportunity for people to go to that. And, attend that as well. So on the workforce retiring part, and this is not unique to water, this is pretty unique to IT in general, and I'm guessing OT as well. Documentation, right before they retire, let's get what's in their heads on paper, right?

[00:50:39] Tony Collins: So that we don't let that knowledge walk out the door, right with them. Let's document it. Let's document the procedures, the processes they go through. Let's tabletop those. We can, we can go through those with you, walk through those procedures as is everything what they leave out, update those. That, to me, is key.

[00:51:03] Tony Collins: That's very much overlooked. We worry about documenting what that person knows. After they say, Hey, here's my two week notice, right? Don't wait for that. Document it right now. So you have something that works in your environment. More than likely it's in somebody's head or a couple people that have worked there for years document it.

[00:51:25] Tony Collins: So when you bring in the new people. They follow the procedure that's already established and documented, right? They don't have to make up a new one. They don't have to learn something right off the bat. Maybe they can improve on it as time goes on, but getting those procedures documented and tested is key before you lose anybody in your workforce.

[00:51:46] Tony Collins: Thank you.

[00:51:48] Doug Short: I, I'd just like to add, just real quickly, I know we're, we're getting close on time here, but you know, don't discount the National Associations AWWA wef, the state. Associations that are part of those. I mean, just in Texas over the last few years, the amount of cybersecurity training that we're able to push out through the state associations and the national Associations has gone up dramatically.

[00:52:13] Doug Short: Your organizations are probably already a member of them. so you should be able to take advantage of that type of training. Just like, just like we're doing here on, on this webinar. Also water ISAC puts out a ton of training and resources that you can, you can access. And I think they just got grant funding for small and rural so that many of the small and rural, water facilities can join for free.

[00:52:38] Doug Short: So

[00:52:42] Max Herzog: thanks so much everyone. As mentioned, we are getting towards the end of time, so I think. Well, we do have one question that might be pretty quick, and I think you've maybe touched on this already, Tony. John asked if CISA specifically has training for utility staff to help with phishing threats. Is that the case?

[00:53:07] Tony Collins: That's a tough question. So, years ago we did, we stopped that. there has been talk about starting it up again, but at this point in time, we don't offer any kind of proactive phishing. There, there are articles on a website if, if that's what you're looking for. but right now, as far as the service that we do, proactive phishing, no, we don't, we don't offer that.

[00:53:41] Max Herzog: Okay. Thank you. Mm-hmm. We are at the end of our time here, so I want to thank Tony, Doug, Doug Abhishek, really great discussion today. Thank you so much for sharing your perspectives and your expertise, and the work that you're doing to help kind of shore up our, our cybersecurity future and the water space.

[00:54:00] Max Herzog: obviously really critical work. So thank you very much. I do want to plug before we wrap up, our next Water Data Forum session will be taking place this September. It'll be focused on data-driven management of emerging contaminants. So thinking about the role of data in the detection and treatment

[00:54:20] Max Herzog: Of things like PFAS, microplastics, pharmaceuticals, et cetera. Some of these contaminants that are becoming, ubiquitous or have been ubiquitous and we're just starting to understand them in the environment and thinking about how we tackle those, in a data-driven way. so please tune in to that next session coming up here in September.

[00:54:41] Max Herzog: With that, thank you so much to our attendees for participating today, and I hope y'all have a great rest of your day and rest of your week.

‍