Infrastructure is one of those words that we think we know. Then something happens that shows us infrastructure is a lot bigger and a lot more complicated than we believed.
When a bridge falls in Pittsburgh on the morning the president is due to visit for an infrastructure speech, that is a very obvious example of infrastructure failure.
When a bus falls into a hole? You might have an infrastructure issue.
But a small local water authority being targeted by hackers? That might not hit you as an infrastructure problem.
It should.
In November, the Municipal Water Authority of Aliquippa was targeted by a pro-Iranian hacking group called Cyberavengers because it used a piece of equipment made in Israel. A small substation was targeted, with hackers disabling a device used to control water levels.
The attack was a cybersecurity breach. The water system it threatened was infrastructure.
This highlights an area where the two overlap and where more attention must be paid.
In February, the U.S. Government Accountability Office issued a report identifying the need to better protect critical infrastructure from cyberattacks. The report addressed federal systems, including the Department of Energy and the U.S. power grid.
However, much of the nation’s infrastructure isn’t in federal hands. It is the responsibility of local agencies such as water authorities that often are stretched thin to provide basic services to small or rural populations and don’t have the resources to buy or build cyberdefenses.
Legislation has been introduced at the federal and state levels to increase cybersecurity with little movement. In Pennsylvania, such a bill was backed by private water companies, but public authorities opposed it because of the demands. In the end, it puts authorities in a position of radically increasing costs or allowing systems to go private.
That isn’t something a government agency should have to do to maintain safe service to the people.
The state and federal governments need to come up with legislation that doesn’t just mandate cybersecurity. It also needs to recognize the critical nature of our smallest government agencies in the web of the nation’s infrastructure and find a way to help them provide it safely and securely.
