Cyberattack: Communication Planning is Essential for Water and Wastewater Agencies
By Sheri Benninghoven, APR, and Scott Summerfield, Principals, SAE Communications and Maurice Chaney, Public Information Officer, Roseville Environmental Utilities
Cyberattacks on utilities (and public agencies of all types) are occurring with alarming frequency, and agencies must have a communications strategy when the inevitable happens. In May, the United States Environmental Protection Agency warned that cyberattacks targeting water utilities across the country have increased in frequency and severity, most often involving threats from Iran and China. Almost 75% of water systems inspected by the EPA don’t fully comply with security requirements in the Safe Water Drinking Act, such as default passwords that haven’t been updated and single logins that can easily be compromised.
In recent years, cybersecurity threats and physical infiltration of water and wastewater infrastructure have significantly increased, especially targeting smaller utilities with outdated operational technology (SCADA and other industrial control systems) that lack proper controls and safeguards and are heavily exposed to the internet. According to Security magazine, more than 2,000 attacks occur daily on public and private organizations. Are you next?
Think about what can happen if a cyberattacker seizes control of your data and your systems, whether it’s theft and public release of information or a ransomware hostage situation. Customer information, billing and payment systems, human resource and payroll records, legal documents, gate/door/elevator access and countless other systems can go offline or become inaccessible in an instant.
Communications is at the top of a successful cyberattack response – along with a clear pre-crisis understanding of your vulnerabilities – and agency communicators are just as important as those who investigate what happened and restore services. Cybersecurity experts consistently note three essential communications guidelines:
- Openness with those affected
- Transparency in explaining what happened
- Honesty about the attack’s scope
Sadly, those tenets are frequently missing from cyberattack responses, and bad situations are made worse by a communications vacuum, rumor, innuendo, and fear.
Your stakeholders – internal and external – will express a range of feelings, including outrage, disappointment, worry, and confusion…and will ask pointed questions. Is my water safe to drink? How did you let this happen? Is my financial information impacted? How are you going to get service re-started? When will things be back to normal?
Here is a baker’s dozen ways your agency can prepare for and communicate effectively in an attack:
- Know Your Exposure – meet with your information management staff and department heads for an in-depth and brutally honest discussion about your agency’s cyberattack vulnerabilities; walk through your treatment plants and other facilities and ask operations staff what could happen if they’re compromised
- Keep Prodding – communication is one of the most important elements of a viable cyberattack response, and as an agency leader (whether elected/appointed or staff) your input must be part of the response, even if it means sometimes being a pest; continually ask tough questions about the attack’s scope and recovery progress
- Prevent An Attack From Happening – craft an education program for staff centered on spotting phishing and other attack triggers in personal and work email accounts
- Highlight the Risk – ensure that staff understands the potential damage to your agency and those you serve, recovery costs, and the hit to your credibility when information is stolen or held hostage
- Focus on New Hires – include cybersecurity in onboarding materials and briefings, and emphasize your agency’s commitment to the protection of its information
- Plan Your Response – make sure your emergency response and crisis communications plans include cyberattacks; don’t forget about your staff, which will be affected in many ways
- Identify Your Team – chaos will likely ensue when you’re attacked, and you’ll need to immediately gather your designated crisis response team, including your local government, regional cybersecurity, FBI, DHS, Secret Service, and other partner agency contacts; pull your team together and build relationships now, as you won’t have time when the attack hits
- Anticipate Outrage – your stakeholders will be angry and confused…and communicating with heartfelt empathy will help you tell your agency’s response story more effectively
- Prepare for Questions – though each attack is different, you can begin drafting your answers to questions you’re most likely to be asked by your stakeholders and the media and then modifying as necessary when you become a victim; identify your attack-related spokesperson and train them for a high-visibility response
- Create Response Documents – develop cyberattack holding statements, pre-prepared social media posts, news releases, and staff communication scripts that are written in plain language and can be deployed quickly; also include backup protocols to distribute information if your traditional systems are compromised
- Learn from Attacks on Other Agencies – media coverage and public reaction will be similar to what you’ll face; identify what went well and what could have been more effective
- Train Your Staff – conduct regular training sessions, tabletop exercises, and other preparedness drills across all agency operations; these activities create muscle memory and establish an ideal state of preparedness
- Clarify Policy Leader Responsibilities – members of your governing body may want to communicate directly with your customers, and their training should focus on the importance of only posting verified information, their role during a cyberattack, etc.
Don’t forget to tell your resiliency story whenever possible. Your stakeholders expect you to anticipate bad things, and you can increase confidence by noting your challenges, highlighting what you’re doing to keep information safe, and committing to honesty when something happens. You have a variety of tools to build confidence, such as scheduling a policy leader update, holding customer and staff forums, spurring an online discussion, and pitching a media story. The more you focus on cybersecurity, the less likely you are to become a victim.
Sheri Benninghoven and Scott Summerfield are principals of California-based SAE Communications and has provided communications counsel, media relations, and Joint Information Center management for many of California’s most challenging recent disasters and crises of confidence issues. Maurice Chaney is Public Information Officer for Roseville Environmental Utilities, responsible for communications strategy for a suite of utilities in the fast-growing community. All three authors are recipients of the California Association of Public Information Officials (CAPIO) Paul B. Clark Award for lifetime contributions to the profession.
Partnering For Impact: Materials Now Available
Partnering for Impact (PFI) is a one-day, highly focused, interactive meeting of thought-leaders, practitioners, academics, and regulators from throughout the wastewater industry. These industry leaders strive daily to advance technology and innovation through various local and regional partnerships. In California, PFI is organized annually by CASA and the California Water Environment Association (CWEA), sponsored by the firms and individuals who are active in CASA’s Engineering and Research Committee. PFI 2024 focused on innovation and collaboration as it applies to recycled water as a future potable water resource and new advancements in PFAS management. You can watch the event and access the speaker presentations for more detail on the CASA webpage.
New Study on PFAS Concentrations in Wastewater from Cosmetics
The Total Mass of Per- and Polyfluoroalkyl Substances (PFASs) in California Cosmetics