Idaho and the Idaho National Laboratory (INL) are at the forefront of efforts to safeguard public health in the increasingly critical area of water systems. The core idea of cyber-informed engineering (CIE) is that, regardless of the number of protective measures in place, determined attackers will eventually find a way to breach systems. Therefore, it is essential to design systems that can either withstand minimal damage or fail safely when faced with cyber threats.
The INL is the origin of CIE, an initiative focused on the importance of integrating cybersecurity into the design and operation of infrastructure. Since 2023, the Idaho Department of Environmental Quality has factored CIE into its considerations of drinking and wastewater systems. This year, they have expanded CIE into scoring grant applications from communities seeking funds to help replace or update their water systems. This means any grant proposal that contains CIE has a greater chance of being funded.
“The people we’re trying to get the CIE message to are the consultant engineers,” Rosemary Regner, the department’s grants and loans engineer, detailed in a statement last week. “They … design the systems in the state.”
The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response sponsors and coordinates CIE initiatives through collaborations with the Idaho National Laboratory, the National Renewable Energy Laboratory, and various industry, academic, and other partners.
In alignment with the Department of Energy’s National Cyber-Informed Engineering Strategy and National Cybersecurity Strategy, the program has developed numerous tools, training sessions, and working groups to assist organizations and academic institutions in adopting and implementing CIE practices.
Idaho is at the forefront of these efforts, partnering with universities nationwide to integrate CIE into educational settings and develop the CIE Curriculum Guide. This guide was crafted with contributions from nine universities, including Boise State and Idaho State, both of which have incorporated CIE principles and practical training into their cybersecurity and engineering courses.
Idaho has hundreds of community water systems, most of them serving populations of 3,300 or less. Money offered by the Idaho Department of Environmental Quality to modernize those systems is limited, so competition is fierce.
When it comes to cybersecurity research, the INL and Idaho have a relationship that dates back to the 1990s and was hallmarked in 2019 with the opening of the state-funded Cybercore Integration Center on INL’s Research and Education Campus in Idaho Falls. The center provides a place where researchers from the public and private sectors have access to the latest tools for keeping operational technology systems safe from malicious activity. Digital OT (operational technology) is everywhere, from electrical substations to food processing plants to water purification facilities.
While community water systems have always been appealing targets for nefarious actors, digital modernization has opened new avenues for disruption. Hackers and cyberterrorists can jeopardize public health by disrupting water supply or wastewater treatment by manipulating chemical levels, altering flow, damaging equipment, or causing complete system shutdowns.
The water sector has been targeted by cyber adversaries several times. In November 2023, engineers at the Municipal Water Authority of Aliquippa, Pennsylvania, saw their system suddenly shut down. Their screens displayed a message from a group calling itself Cyber Av3ngers, and the attack was based in Iran.
The utility resumed operations manually, allowing services to continue to city residents and customers in three neighboring townships. But it was a wake-up call to utilities and policymakers nationwide.
Most water systems in the U.S. are decades old and use antiquated analog technology. This makes it easy for any digitally equipped system, like Aliquippa’s, to be switched back to manual operation, but this is only a temporary advantage. As new systems are built, they will rely on networked digital instrumentation and control systems.
“As they invest in digital technology, they are putting themselves more and more at risk,” said Virginia Wright, the INL’s CIE program manager. Even more alarming is the threat that advances in automation and artificial intelligence will make it easier for hackers and cyberterrorists to find targets faster and in greater numbers.
“Modern automation provides adversaries with tools which are always on, always seeking out vulnerable entry points and always adapting,” Wright said.
When designing new systems, the key will be to install cybersecurity protection at the front end. This is where CIE comes in with its central premise that, while no digital system can be made fully safe from attack, cybersecurity controls can be built in to reduce or eliminate the consequences.
When it comes to adopting CIE, Idaho has led the charge before any other state government to offer financial incentives to engineer in cyber-resilience of water infrastructure.
Regner said she learned about CIE at an American Water Works Association conference. “Regular cybersecurity is like a never-ending game of whack-a-mole,” she said. “With CIE, you have the resources built in to cope with any intrusion. When you explain it to other engineers, they get it.” Since sending out letters of interest in the fall of 2024, Regner said 45 percent of respondents would include CIE in their funding proposals.
In many ways, smaller water utilities have an advantage over big ones, Ohrt said. Of the changes that need to be made, 80% of them are relatively straightforward. “If you’re a smaller utility, it’s going to be easier,” he said. “Idaho is very much leading the way on this.”
According to Andrew Ohrt, a water sector resilience specialist at West Yost, a national consulting firm in Davis, California, it’s rare for entirely new water systems to be constructed from scratch today. Instead, it’s more common to replace or refurbish key components of existing systems. Regardless of the new technology implemented, the supervisory control and data acquisition systems that monitor and control plant processes are increasingly automated.
West Yost was the first company to license the consequence-based security methodology developed by INL and continues to collaborate with INL on CIE and other research methods and training to ensure the functionality of critical infrastructure. Although CIE may initially seem intimidating, Ohrt noted that interest is growing at the seminars and workshops he attends.
In January, the INL published a white paper that synthesizes an array of crucial grid services provided by BESS (battery energy storage system) technology, which assesses its architecture and communications and presents a case study for analysis against the principles introduced by cyber-informed engineering (CIE). Furthermore, in walking through the analysis, the INL paper presents a framework to evaluate risks and solutions when considering BESS components.
