Cramer Welcomes North Dakota Witness to EPW, Questions Panel on State and Federal Cybersecurity Cooperation

WASHINGTON, D.C. - The Senate Environment and Public Works (EPW) Committee heard from North Dakota cybersecurity specialist Matt Odermann during a hearing examining cybersecurity challenges impacting water infrastructure across the nation.

U.S. Senator Kevin Cramer (R-ND), chairman of the EPW Subcommittee on Transportation and Infrastructure, introduced Odermann, an executive board member of the North Dakota Rural Water Systems Association and Cybersecurity Supervisor at Minnkota Power Cooperative in Grand Forks.

In introducing Odermann, Cramer emphasized his "more than a decade of experience in cybersecurity and critical infrastructure protection, with a strong understanding of the unique challenges facing rural water systems."

Odermann described the capacity challenges rural systems face, noting he has"seen firsthand the cyber security challenges that play out in a converged [information technology] and [operational technology] environment. The vast majority of water and wastewater systems in this country serve communities of 10,000 people or less. We have the same responsibility as large water utilities to deliver safe drinking water every second of every day. The difference for us, though, is scale. Small systems operate with limited staff, limited revenue, and limited technical capacity. Most do not have in-house cybersecurity personnel. In rural America, cybersecurity is not a question of indifference. It's a question of capacity."

Turning to solutions, Oderman then highlighted partnership and practical guidance as the path forward, stating "with the right balance of partnership, practical guidance, and resources, we can strengthen cybersecurity across America's water infrastructure, not through fear, but through collaboration and resilience."

Odermann outlined five principles in his testimony for strengthening rural water system cybersecurity, including leading with assistance instead of enforcement, funding mandates for cybersecurity measures, focusing on foundational controls such as phishing prevention, strengthening weak passwords, and updating legacy equipment. He emphasized the need to rely on established trusted partners like organizations utilities already depend on and stressed the importance of recognizing diversity of system size.

Cramer began his questioning by highlighting Odermann's first recommendation of leading with assistance rather than enforcement. Referring to a previous question by U.S. Senator Sheldon Whitehouse (D-RI) on cyber considerations for liability insurance, Cramer asked about the market aspect of insurance as a mechanism for assistance rather than enforcement.

"The fiduciary responsibility of being on a board, you typically look at, you know, how do we cover our risk?" said Odermann. "And cyber insurance definitely is part of that. And that is definitely driving some organizations to strengthen their cyber defenses because if you're a higher risk, you pay higher insurance premiums. If you desire more coverage, they're going to investigate you a little bit more, make sure that, hey, is this somebody we can actually cover or not? So the point about cyber insurance driving some of the changes is happening already."

Cramer followed up by explaining how rural water systems, often collaborate and partner, but maintain their desire to protect their sovereignty and autonomy. He then asked for a "best practice that has worked for each of you as a way just give us a little guidance."

"I mean, I think that you know we as a large systems example, we want to work together with everyone," said Scott Dewhirst, Deputy General Manager for Engineering and Technology at Fairfax Water. "I think we engage with our colleagues across the state and Virginia, for instance, and share ideas and share best practices. I think to Water Information Sharing and Analysis Center (WaterISAC), I think that's a great example, we can all collaborate together. I think that we can bring awareness to incidents as they occur, and that becomes a central clearing house for everyone in the country. It gives us a way to manage those threats and make sure people, large [or] small, it doesn't matter where you are in the country, is aware of those threats that can take mitigation steps to correct that. So I think WaterISAC is a great tool to kind of weave through all of us to give us their standards and protection."

"Definitely using trusted partners that already have those relationships built out, that state primacy agencies and as state associations have a footprint and everything community in North Dakota," answered Odermann. "For example, they know those circuit riders by name, probably have their cell phone… They probably know their kids' names and things like that. That's a very trusted relationship. What doesn't work is, you know, I have a 15 page bulletin information [disclosure]. That doesn't land with an operator in a small system. But definitely the trusted partners is where we work the best."

"For the most part, especially at the state level, I have found the agencies to be really valuable partners and very helpful…trying to, regardless of the regulated community, help them comply with the regulations and not always wielding the stick, but actually providing what can become a very trusted resource, you know, for these utilities, for example, in this space," said D. Scott Simonton, Fellow at the Marshall University Institute for Cyber Security. "So that can be part of it and not just the punitive part of the regulatory agencies, but I find them to be actually very helpful most of the time."