Cyberattack: Communication Planning is Essential for Water and Wastewater Agencies as Threats Increase 

California Association of Sanitation Agency Updates

By Sheri Benninghoven, APR, Scott Summerfield, Principals, SAE Communications, and Maurice Chaney, Roseville Environmental Utilities , Emerging Issues

Cyberattacks on utilities (and public agencies of all types) are occurring with alarming frequency, and agencies must have a communications strategy when the inevitable happens.

In May, the United States Environmental Protection Agency warned that cyberattacks targeting water utilities across the country have increased in frequency and severity, most often originating in Iran and China. Almost 75% of water systems inspected by the EPA don’t fully comply with security requirements in the Safe Drinking Water Act, such as default passwords that haven’t been updated and single logins that can easily be compromised.

In recent years, cybersecurity threats and physical infiltration of water and wastewater infrastructure have significantly increased, especially targeting smaller utilities with outdated operational technology (SCADA and other industrial control systems) that lack proper controls and safeguards and are heavily exposed to the internet.

According to Security magazine, more than 2,000 attacks occur daily on public and private organizations.  Are you next?
Think about what could happen if a cyberattacker seizes control of your data and systems, whether it’s the theft and public release of information or a ransomware hostage situation. Customer information, billing and payment systems, human resources and payroll records, legal documents, gate/door/elevator access, and countless other systems can go offline or become inaccessible in an instant.

Communications is at the top of a successful cyberattack response – along with a clear pre-crisis understanding of your vulnerabilities – and agency communicators are just as important as those who investigate what happened and restore services.  Cybersecurity experts consistently note three essential communications guidelines:

• Openness with those affected
• Transparency in explaining what happened
• Honesty about the attack’s scope

Sadly, those tenets are frequently missing from cyberattack responses, and bad situations are made worse by a communications vacuum, rumor, innuendo, and fear.

Your stakeholders – internal and external – will express a range of feelings, including outrage, disappointment, worry, and confusion…and will ask pointed questions. Is my water safe to drink?  How did you let this happen? Is my financial information impacted?  How are you going to restart the service?  When will things be back to normal?
Here is a baker’s dozen ways your agency can prepare for and communicate effectively in an attack:

1. Know Your Exposure – meet with your information management staff and department heads for an in-depth and brutally honest discussion about your agency’s cyberattack vulnerabilities; walk through your treatment plants and other facilities and ask operations staff what could happen if they’re compromised
2. Keep Prodding – communication is one of the most important elements of a viable cyberattack response, and as an agency leader (whether elected/appointed or staff) your input must be part of the response, even if it means sometimes being a pest; continually ask tough questions about the attack’s scope and recovery progress
3. Prevent An Attack From Happening – craft an education program for staff centered on spotting phishing and other attack triggers in personal and work email accounts
4. Highlight the Risk – ensure that staff understands the potential damage to your agency and those you serve, recovery costs, and the hit to your credibility when information is stolen or held hostage
5. Focus on New Hires – include cybersecurity in onboarding materials and briefings, and emphasize your agency’s commitment to the protection of its information
6. Plan Your Response – make sure your emergency response and crisis communications plans include cyberattacks; don’t forget about your staff, which will be affected in many ways
7. Identify Your Team – chaos will likely ensue when you’re attacked, and you’ll need to immediately gather your designated crisis response team, including your local government, regional cybersecurity, FBI, DHS, Secret Service, and other partner agency contacts; pull your team together and build relationships now, as you won’t have time when the attack hits
8. Anticipate Outrage – your stakeholders will be angry and confused…and communicating with heartfelt empathy will help you tell your agency’s response story more effectively
9. Prepare for Questions – though each attack is different, you can begin drafting your answers to questions you’re most likely to be asked by your stakeholders and the media and then modifying as necessary when you become a victim; identify your attack-related spokesperson and train them for a high-visibility response
10. Create Response Documents – develop cyberattack holding statements, pre-prepared social media posts, news releases, and staff communication scripts that are written in plain language and can be deployed quickly; also include backup protocols to distribute information if your traditional systems are compromised
11. Learn from Attacks on Other Agencies – media coverage and public reaction will be similar to what you’ll face; identify what went well and what could have been more effective
12. Train Your Staff – conduct regular training sessions, tabletop exercises, and other preparedness drills across all agency operations; these activities create muscle memory and establish an ideal state of preparedness
13. Clarify Policy Leader Responsibilities – members of your governing body may want to communicate directly with your customers, and their training should focus on the importance of posting only verified information, their role during a cyberattack, etc.

Don’t forget to tell your resiliency story whenever possible. Your stakeholders expect you to anticipate problems, and you can increase confidence by noting your challenges, highlighting what you’re doing to keep information safe, and committing to honesty when something goes wrong. You have a variety of tools to build confidence, such as scheduling a policy leader update, holding customer and staff forums, spurring an online discussion, and pitching a media story. The more you focus on cybersecurity, the less likely you are to become a victim.