When it comes to cybersecurity research, the Idaho National Laboratory (INL) and Idaho have a relationship that dates back to the 1990s and was hallmarked in 2019 with the opening of the state-funded Cybercore Integration Center on INL’s Research and Education Campus in Idaho Falls.
The center provides a place where researchers from the public and private sectors have access to the latest tools for keeping operational technology systems safe from malicious activity. Digital operational technology is everywhere, from electrical substations to food processing plants to water purification facilities.
In the case of water systems, INL and Idaho are leading in demonstrating how to protect public health in a growing area of national concern. INL is the birthplace of Cyber-Informed Engineering (CIE), a strategic initiative to prioritize cybersecurity in infrastructure design and operation. CIE’s premise is that no matter how many safeguards a system has, determined adversaries will find a way in. Therefore, it is crucial to engineer systems so they suffer minimal damage or fail safely when compromised by cyber-enabled threats.
Since 2023, the Idaho Department of Environmental Quality has factored CIE into its considerations of drinking and wastewater systems. This year, they have expanded CIE into scoring grant applications from communities seeking funds to help replace or update their water systems. This means any grant proposal that contains CIE has a greater chance of being funded.
Idaho has hundreds of community water systems, most of them serving populations of 3,300 or less. Money offered by the Idaho Department of Environmental Quality to modernize those systems is limited, so competition is fierce. “The people we’re trying to get the CIE message to are the consultant engineers,” said Rosemary Regner, the department’s grants and loans engineer. “They … design the systems in the state.”
New avenues for disruption
While community water systems have always been appealing targets for nefarious actors, digital modernization has opened new avenues for disruption. Hackers and cyberterrorists can jeopardize public health by disrupting water supply or wastewater treatment by manipulating chemical levels, altering flow, damaging equipment or causing complete system shutdowns.
In November 2023, engineers at the Municipal Water Authority of Aliquippa, Pennsylvania, saw their system suddenly shut down. Their screens displayed a message from a group calling itself Cyber Av3ngers, and the attack was based in Iran.
The utility resumed operations manually, allowing services to continue to city residents and customers in three neighboring townships. But it was a wakeup call to utilities and policymakers nationwide.
Growing risk, compounded by artificial intelligence
Most water systems in the United States are decades old and use antiquated analog technology. This makes it easy for any digitally equipped system, like Aliquippa’s, to be switched back to manual operation, but this is only a temporary advantage. As new systems are built, they will rely on networked digital instrumentation and control systems.
“As they invest in digital technology, they are putting themselves more and more at risk,” said Virginia Wright, the INL’s CIE program manager. Even more alarming is the threat that advances in automation and artificial intelligence will make it easier for hackers and cyberterrorists to find targets faster and in greater numbers.
“Modern automation provides adversaries with tools which are always on, always seeking out vulnerable entry points and always adapting,” Wright said.
When designing new systems, the key will be to install cybersecurity protection at the front end. This is where CIE comes in with its central premise that, while no digital system can be made 100% safe from attack, cybersecurity controls can be built in to reduce or eliminate the consequences.
Any upgrades likely to involve automation
Few new water systems today get built from the ground up, said Andrew Ohrt, a water sector resilience specialist with West Yost, a national consulting firm based in Davis, California. What’s more common is for key components of a piece of a water system to be replaced or refurbished. Whatever new technology is adapted, the supervisory control and data acquisition systems monitoring and controlling plant processes are going to be automated.
West Yost was the first company to license INL’s consequence-based security methodology and continues to partner with INL on CIE and other research methods and training for critical infrastructure function assurance. While CIE can appear daunting at first, Ohrt said interest appears to be growing at the seminars and workshops he attends.
Grant process incentives
When it comes to embracing CIE, Idaho has led the charge before any other state government to offer financial incentives to engineer in cyber-resilience of water infrastructure.
Regner said she learned about CIE at an American Water Works Association conference. “Regular cybersecurity is like a never-ending game of whack-a-mole,” she said. “With CIE, you have the resources built in to cope with any intrusion. When you explain it to other engineers, they get it.” Since sending out letters of interest in the fall of 2024, Regner said 45% of respondents would include CIE in their funding proposals.
In many ways, smaller water utilities have an advantage over big ones, Ohrt said. Of the changes that need to be made, 80% of them are relatively straightforward. “If you’re a smaller utility, it’s going to be easier,” he said. “Idaho is very much leading the way on this.”
Creating future cyber-informed engineers
The Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response sponsors and coordinates CIE efforts by INL; National Renewable Energy Laboratory; and industry, academic and other partners. In support of the Department of Energy’s National Cyber-informed Engineering Strategy and National Cybersecurity Strategy, the program has produced many tools, training and working groups to help organizations and academia adopt and implement CIE.
This is another area where Idaho leads efforts with other universities across the nation in leveraging CIE in the classroom and to develop the CIE Curriculum Guide, which included input from nine universities, including Boise State and Idaho State. Both universities have built CIE principles and hands-on training into related cybersecurity and engineering courses.
For info about CIE tools, guides and resources, click here.
