CSC 2.0 Reports

After Action Report: Multistakeholder Insights to Advance Water and Wastewater Infrastructure Cybersecurity

To improve efficiency and quality of service, water and wastewater systems are increasingly dependent on networked technology.

Executive Summary

Safe and reliable drinking water and dependable wastewater systems are essential to daily life. To improve efficiency and quality of service, water and wastewater systems are increasingly dependent on networked technology – a trend that will only escalate as global digital transformation continues. While these technologies improve the delivery of water and wastewater services, they also introduce new risks. Effectively managing this cyber risk in the United States is particularly challenging because control of water and wastewater infrastructure is distributed among a vast array of over 100,000 unique public and private entities, many of which are small and lack the resources and expertise necessary to mitigate growing threats.

The vulnerability and the criticality of water and wastewater systems make them prominent targets for both profit-seeking cyber criminals as well as geopolitical rivals exploiting a new domain of conflict. Addressing the cybersecurity gaps of this expansive critical infrastructure sector will require robust communication and cooperation across the public and private sectors at every level.

To support this multistakeholder engagement, Microsoft and the Cyberspace Solarium Commission 2.0 (CSC 2.0) jointly hosted a series of roundtable discussions in late 2022 and 2023 on cybersecurity in the water and wastewater sector. Over four virtual gatherings, experts from federal agencies and Congress, as well as from across the water and technology sectors, joined in discussions around (i) threats to the sector, (ii) standards, best practices, and emerging regulations to reduce cyber risk, (iii) international obligations to protect the water sector from cyberattacks, and (iv) how to build cyber resilience across the sector.

Concurrent with the roundtable series, federal agencies, standards bodies, and industry groups have been studying and proposing initiatives to address cybersecurity in the sector. The Microsoft-CSC 2.0 roundtable series, however, was unique in that it brought these communities together to share constructive solutions to shared challenges.

This report contains a summary of those dialogues. The findings across the roundtable series paint a picture of a sector challenged by gaps in cybersecurity risk management alongside a severe lack of resources to address them. We would like to thank the offices of Representatives Jim Langevin and Mike Gallagher as well as Senator Angus King for their support of these roundtable discussions, and the U.S. agencies that participated – including the Environmental Protection Agency (EPA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), Office of the National Cyber Director (ONCD), and National Institute of Standards and Technology (NIST). Together with participants from across the water and technology sectors, as well as from civil society and academia, the discussions surfaced priority recommendations (summarized below) for legislators, relevant U.S. agencies, and the water sector itself.

We hope the discussions facilitated throughout this dialogue series, and the guidance included throughout this report, can underscore the urgency of addressing the challenges and highlight a path forward for investment and cooperation across sectors, stakeholders, and geographies to protect and defend the nation’s water and wastewater systems. Moreover, we hope that the recommendations and lessons learned can serve as a valuable reference point for international audiences looking to improve the cybersecurity of their own water infrastructure as well.