It was ten degrees below zero, and I had just completed the hardest ruck march of my life. A group of 28 Marines and I (a lucky Air Force officer) had covered more than 10 kilometers on cross-country skis in the brutal Sierra Nevada Mountains for mountaineering training. By the end of the march, most of us had consumed all our water. We were completely isolated, with no resupply on the way. Thankfully, our instructors had taught us to melt snow and sanitize it with our mountaineering stoves. Survival training enabled us to secure water regardless of the environment. In the same way, American utility workers from the deserts of Arizona to the swamps of Florida secure water in every county to promote human flourishing.
Water services in the United States are decentralized by design, but the introduction of digital technology into water utilities makes these systems vulnerable to cyber attack. Small-town water suppliers are especially squeezed between affordability for customers and infrastructure resilience, but AI data center investments in rural communities may offer a way to lift small communities above the “security poverty line” and harden local water services against cyber attacks.
Local water infrastructure shocks can become a national strategic interest. The second-order effects can reach far beyond drinking water.
For example, agriculture needs clean water for irrigation; without it, crops run the risk of spreading deadly diseases or withering in summer heat. The agricultural sector particularly relies on water service providers that are most vulnerable to cyber attacks. Further, the energy sector needs water for power generation and turbine operations. Water services doubly impact AI and data center operations, meanwhile, because they require energy and water for cooling. A 5,000-person town becomes more of a strategic target if they have a critical asset, for example, when that water supply serves a critical data center or agricultural irrigation, the calculus changes.
In modern life, access to clean water is so ubiquitous that few consider what is required to sustain and secure it. Yet we understand that access to water is essential; in fact, when asked about their top environmental concerns, most Americans list access to water.
The United States’ complex system of watersheds and aquifers means there is no single point of attack that could affect the water supply for the entire United States. Localism in our water system means systemic resilience for the “national water supply.” But distributed water services must now reckon with cyber threats that could disrupt a critical municipality. The vast capabilities of a hostile nation-state could be levied against a single American township. What now exists as a localized network could have second order effects that require a national strategic response.
Before water services relied on digital technology, water security was primarily physical. Now utilities have adopted operational technology (OT) into their workflows to assess and control their systems in real time, but the benefits have come with the side effect of introducing a cybersecurity vulnerability. Now, perpetrators do not need to be physically present to attack the water supply.
In modern life, access to clean water is so ubiquitous that few consider what is required to sustain and secure it.
Chilling reports detail the lack of cybersecurity in water treatment facilities. Because municipal governments orchestrate water management, the federal cybersecurity guidelines are just that: guidelines. More than 70% of facilities fail to meet basic cybersecurity requirements, such as changing default passwords (wait, 1234 isn’t a secure password?). The information technology systems that are vulnerable to hacking directly connect to the OT systems controlling chemical treatments. Simply investing in air gapping would dramatically reduce this threat. Perhaps the simplest cybersecurity measure Americans could take today is for residents to pester their city council to ensure the water department has changed its OT password from the system default. This simple fix could produce a disproportionate security boost from something requiring relatively minimal effort.
Centralizing water management is another obvious temptation for policymakers and strategists alike, but distributing national resources to ensure cybersecurity at the local level would maintain the built-in national resilience of a distributed system. Finding solutions to proliferate cyber resilience for our water supply should be preferred over centralized management. Chesterton’s fence suggests that we should not overturn localized water management practices until we can account for the financial, geographic, and political reasons municipalities were tapped to manage water in the first place. These reasons do not change because of cyber threats. Instead, local water services should locally execute robust cybersecurity standards.
Despite the benefits of localized water management, many small water services face economic pressure because cybersecurity is often a fixed cost shared by fewer customers. Roughly 91% of the water service systems in the United States serve just 17% of the population. These utility providers are desperately trying to ensure affordability, and every dollar spent on cybersecurity increases consumer water bills. Duke University’s Nicholas Institute outlines the trade-offs between infrastructure investment, affordability, and fiscal stability for the service provider. Although there are some creative solutions to mitigate the intensity of these trade-offs, cybersecurity concerns can create a labor arbitrage problem. While the water services provider attempts to keep costs low, it relies more on technology to automate their operations. But this technology comes with cybersecurity risks that are expensive to counter.
The right deal with a hyperscaler can lift a small community above the security poverty line and protect their water supply from cyber attacks.
For municipalities that lack the funds to harden their cyber infrastructure to protect their water supply from cyber threats, there are even some charities where cyber professionals do work pro bono to help undersourced municipalities. Wendy Nather describes this phenomenon as living below the “security poverty line.”
Another way to secure funds is AI data centers. For now, many rural communities have mounted well-founded pushback on proposals to build AI data centers in their area. But the conversation remains fixated on energy prices. Howell Township, referenced in the WSJ’s recent piece on this topic, chronicles a community of 8,000 residents rejecting a proposal for a Meta data center. While some may caricature their campaign as Ludditism, the reality is rural communities have a lot to gain and a lot to lose on a deal like this, particularly when it comes to utilities.
Commitments from hyperscalers to invest in infrastructure resilience could dramatically change these negotiations. Structuring a deal to be a net benefit for utilities in a rural community would eliminate much of the rural hesitance to AI data center buildout while simultaneously being one of the few ways to revitalize aging, vulnerable infrastructure and ensure continued local control of water infrastructure.
Cybersecurity for water services directly benefits the data center, as such centers also rely on water for cooling, and the energy they use requires water services. As data centers come to rural communities, they often have significantly more leverage than local leaders in negotiations and typically offer only a modest form of infrastructure investment. If municipalities and hyperscalers approach infrastructure revitalization commitments as mutually beneficial, it would promote shared, long-term thinking that will ultimately lead to security for both parties. Many rural communities face an apparently impossible tension between affordability and water service resilience. Hyperscalers can invest in cybersecurity for water utilities out of self-interest while maintaining affordability and local control for residents.
A cyberattack won’t eliminate my ability to boil snow in the mountains, but it can certainly shut off the water supply to a data center. Small communities must incorporate cybersecurity for water services into the infrastructure proposals they bring to hyperscaling businesses that build in their towns. The right deal with a hyperscaler can lift a small community above the security poverty line and protect their water supply from cyber attacks.
The analysis, opinions, and recommendations contained in this memorandum are solely those of the author in a personal capacity. They do not reflect the official policy, position, or endorsement of the Department of the Air Force, the Department of Defense, or any other U.S. government entity.
Don’t miss
 | A guest post by
|