And What It Means For Government Action / Inaction
For as long as I can remember, it has been an accepted and repeated “fact” that 85% of US critical infrastructure is privately owned. With the subtext of this “fact” that government organizations have great difficulty in requiring security controls, or more broadly risk management, to address the cyber threat.
A recent paper, Fact and Fiction: Demystifying the Myth of the 85% by Azrilyant, Sidun and Dolashvili, provides the real numbers for the non-nuclear energy, water/wastewater, and food/agriculture sectors. Importantly they looked at the numbers in two ways for each sector.
- The percentage of companies in the sector that were privately owned
- The percentage of the population that was served by a privately owned company
The later number is more important from a national risk management standpoint because the availability of critical infrastructure for the people is more important than any company’s survival or effectiveness.
The water/wastewater numbers have the biggest variance from the 85% myth and provide the best opportunity for the government to demonstrate that enhanced public sector control or influence is directly correlated to better security … whether private ownership is a detriment or a benefit to a secure and resilient critical infrastructure.
The paper looked at data from 144K water utilities in the United States. For some reason they did not compile, or I missed it in the paper, the national numbers. Instead they broke the numbers down by state in Appendices A & B. A quick review of the numbers showed that over 85% of the US population’s water/wastewater services are provided by a public sector (government) organization. Here are the percentage of the population served by public sector companies in the largest states:
- California: 82%
- Florida: 92%
- New York: 91%
- Texas: 95%
There is more variance in the smaller states, for example Delaware with a nationwide low of 38%. Many medium size states have 97%+ of their population services by public sector utilities. The smallest value from a largish state is Pennsylvania with 66%.
While there are some security superstars in the water sector, OT security in water is generally considered to lag far behind the large privately owned electric and oil/gas sector participants. To date, the data indicates that public sector ownership and control of critical infrastructure has resulted in a lower security posture / increased risk as compared to privately owned critical infrastructure.
Perhaps this lower security posture is due to a lack of attention on the water sector. This is no longer an excuse after recent incidents. If public sector ownership, control and influence is a positive for critical infrastructure cyber risk reduction, then we should see this take place in the water sector over the next 1 to 3 years.
For international readers, it would be wrong to extrapolate US government performance to other countries. The legal power (regulatory and other) and effectiveness of the government structures is likely the critical factor. There are some non-US success stories where heavy government involvement has resulted in significant improvement of the critical infrastructure OT security posture.
Next Week: What To Do About Small Companies Running Critical Infrastructure