Local Leaders Play Critical Role in Securing Infrastructure

BY STEPHEN GOLDSMITH and BETSY GARDNER • APRIL 11, 2022

This article originally appeared in Government Technology.

Traditionally, safeguarding water resources concerned groundwater testing, lead pipe replacement, combined sewer overflows and watershed cleanups. In 2022 though, it also means establishing strong cybersecurity protocols to prevent digital attacks on water systems. The U.S. Environmental Protection Agency announced in January a new action plan to “Accelerate Cyber-Resilience for the Water Sector,” which highlights how important it is to address digital threats to American infrastructure and folds into the broader federal agenda.

The May 2021 ransomware attack on Colonial Pipeline impacted over 5,000 miles of fuel pipelines across the southern and eastern United States, immediately revealing just how vulnerable the outdated and legacy systems are in the age of Internet-connected infrastructure. Later investigations revealed that hackers disrupted Colonial Pipeline and shut down the system with just one stolen password.

Moving forward toward safer infrastructure does not mean moving backward to static, unintelligent systems; the reality is that we must build toward a smarter future that incorporates technology into public works. The American Rescue Plan Act will direct hundreds of millions of dollars to cities in dire need of infrastructure repairs after decades of deferred maintenance, and the twin solutions of IoT connectivity and cybersecurity will bring this country’s infrastructure into the current century — and prepare it to last far beyond.

The threshold question for local leaders involves their role not just with the systems they control, but also involving key providers of local services. Some local governments own their utilities; others do not. Privately owned and operated utility service providers generally are monopolies regulated by state, not local, government. Yet mayors or county executives are held responsible for catastrophes like tornadoes or floods. Emergency response to a utility shutdown here is not enough — prevention matters. Certainly, the ransomware attacks on city governments and the Colonial attack raise red flags.

Cyber attacks are highly sophisticated and not many cities have the resources to keep up. Mayors should reach out beyond their authority, directing attention and best practices to preventing utility shutdowns. A first step would be convening all key stakeholders to increase attention on the issue and facilitate a forum of local entities so that best practices can be ensured across all the relevant groups. Elected officials often would be well advised to contact the outside security consultants that many of them utilize for their internal systems concerning best approaches for the convening of service providers. That forum can continue without city management, but officials should be assured that it will be a continuing effort.

Key participants that oversee these industrial control systems (ICS) should begin with a self-assessment that identifies holes in security and implements basic security features like two-factor authentication. There should also be an immediate review of network security for remote employees, as well as a check on which employees (and former employees) have access to what information. Any lingering computer or software updates should be implemented right away. Local officials should contact state regulators to determine the extent to which these questions are part of regulatory review. And similarly, the federal government is increasingly accepting its role.

The lack of investment in American infrastructure has left the country littered with dangerous and crumbling bridges, pipes and dams, earning the U.S. a C- on the 2021 Infrastructure Report Card. And while this lack of investment has led to very real physical dangers, doing the same with IoT-connected infrastructure means additional broad cybersecurity risks. There is a need for ongoing investment in smart infrastructure, guided by regular audits. Internal or external vulnerability modeling can also help identify where investment and attention should be directed.

One key to long-term safety and security is the human factor. Regular training to enhance cybersecurity skills and awareness will help bridge the gap between cybersecurity experts and industry experts and will transform ICS protection.

Local elected officials need to reach beyond their actual authority, and even their expertise, to call attention to the risk and to create a situation where the very best ICS operators set standards for and educate others.

About the Author

Stephen Goldsmith 

Stephen Goldsmith is the Derek Bok Professor of the Practice of Urban Policy and the Director of the Innovations in American Government Program at Harvard's Kennedy School of Government. His latest book is Growing Fairly: How to Build Opportunity and Equity in Workforce Development.

Email the author.

About the Author

Betsy Gardner

Betsy Gardner is the editor of Data-Smart City Solutions and the producer of the Data-Smart City Pod. Prior to joining the Ash Center, Betsy worked in a variety of roles in higher education, focusing on deconstructing racial and gender inequality through research, writing, and facilitation. She also researched government spending and transparency at the Lincoln Institute of Land Policy. Betsy holds a master’s degree in Urban and Regional Policy from Northeastern University, a bachelor’s degree in Art History from Boston University, and a graduate certificate in Digital Storytelling from the Harvard Extension School.