Key Takeaways
- Columbus City Utilities (CCU) has joined the Cybersecurity and Infrastructure Security Agency’s (CISA) Water Sector Initiatives, gaining access to a no‑cost cyber vulnerability scanning service.
- The service delivers weekly automated scans, real‑time threat alerts, and direct support from federal cybersecurity experts to harden CCU’s internet‑facing systems.
- Participation strengthens CCU’s eligibility for future State and Local Cybersecurity Grants (SLCGP) while advancing its 2026 Strategic Infrastructure Plan’s focus on digital resilience.
- Utility leaders cite rising cyber threats—including ransomware, foreign‑state actors, and automated operational technology risks—as motivation for the program.
- Recent assessments show CCU’s vulnerability profile improving, with the latest scans revealing no critical issues, though officials stress that cybersecurity is an ongoing, year‑long effort.
Overview of CCU’s Participation
Columbus City Utilities recently entered a federal partnership designed to shield its water and wastewater infrastructure from escalating cyber threats. Beginning in February, CCU became a participant in the Cybersecurity and Infrastructure Security Agency’s (CISA) Water Sector Initiatives, a Department of Homeland Security program aimed at bolstering the security posture of critical water utilities nationwide. By joining this initiative, CCU gains access to resources and expertise that would otherwise be costly or difficult to obtain independently, reflecting a proactive stance on protecting essential public services.
Details of CISA’s Cyber Vulnerability Scanning Service
The cornerstone of CCU’s involvement is the CISA‑provided No‑Cost Cyber Vulnerability Scanning Service. This offering performs continuous, automated monitoring of the utility’s external digital perimeter, identifying weaknesses before they can be exploited by adversaries. Each week, CCU receives detailed reports that analyze its internet‑facing systems, flag potential security gaps, and recommend remediation steps. In addition to the scans, the service provides real‑time alerts about emerging global threats targeting water utilities and direct access to federal cybersecurity professionals for guidance on securing operating systems and network configurations.
Benefits and Alignment with Strategic Plan
CCU officials emphasize that the program enhances the utility’s security posture without imposing additional financial burdens on local taxpayers. By leveraging federal resources at no cost, CCU can allocate its budget toward other infrastructure needs while still achieving robust cyber defenses. The initiative dovetails with CCU’s 2026 Strategic Infrastructure Plan, which explicitly prioritizes both physical and digital resilience for the Columbus community. Alignment with this long‑term vision ensures that cybersecurity investments are strategic, measurable, and integrated into broader utility planning.
Statements from Roger Kelso
Roger Kelso, CCU’s executive director, articulated the shifting nature of water utility protection: “Securing our water supply is no longer just about pipes and pumps, it’s about protecting the digital systems that manage them.” Kelso described the CISA program as an active adversarial exercise, wherein federal experts simulate attacks on CCU’s servers to uncover weaknesses. “We basically just give them our internet addresses and then they pound away at our servers just like overseas attackers or somebody trying to get into it,” he noted, underscoring the value of realistic testing in fortifying defenses.
Rising Cyber Threats to Water Utilities
The decision to join CISA’s initiative comes amid a sharp increase in cyberattacks targeting U.S. water and wastewater systems. A 2024 Congressional Research Service report documented a decade‑long rise in cyber incidents perpetrated by foreign adversaries against municipal infrastructure. According to Check Point Software Technologies, U.S. utilities experienced 1,162 cyberattacks in 2024—a nearly 70 % surge from the 689 attacks recorded during the same period in 2023. Kelso pointed out that growing automation in utility operations expands the attack surface, as many facilities rely on off‑site monitoring for extended periods, leaving fewer staff physically present to detect anomalies in real time.
Historical Example: Oldsmar Incident
To illustrate the potential consequences of a successful breach, Kelso referenced the February 2021 incident in Oldsmar, Florida. In that case, an unauthorized actor gained access to a water treatment plant’s control systems and attempted to raise the concentration of sodium hydroxide (commonly known as lye) to hazardous levels. A vigilant plant operator noticed the irregular adjustment and restored safe concentrations before any harm could occur. The episode highlighted how cyber intrusions could directly threaten public health by manipulating chemical dosing processes, reinforcing the necessity of vigilant cyber defenses.
Current Geopolitical Threats and Advisories
The utility’s leadership also acknowledged the broader geopolitical context influencing cyber risk. Two weeks after the United States and Israel conducted strikes on Iran, CISA, the Environmental Protection Agency (EPA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) issued a joint advisory warning water and wastewater utilities about an ongoing Iranian‑affiliated cybersecurity threat. The advisory noted that such threats have, in some instances, disrupted operational technology used in drinking water and wastewater treatment. When questioned by the CCU board about possible impacts from the Iran conflict, Kelso stated that no recent uptick in suspicious activity had been observed, but the topic remains a regular point of discussion in daily operations.
Assessment Results and Ongoing Improvements
CCU has completed four cybersecurity assessments since joining the CISA program. Kelso reported that early scans identified some exposed issues, though none were deemed “super serious.” Subsequent evaluations have shown steady progress, with the two most recent reports revealing no critical vulnerabilities. “When we first started doing it we didn’t have any really super serious vulnerabilities, but there were some things that were exposed,” Kelso told the board. “So it’s been an excellent exercise because the last two reports I’ve had— nothing came up as a vulnerability.” Despite these positive trends, officials caution that cybersecurity is a dynamic challenge requiring continual attention.
Future Outlook and Continuous Process
Looking ahead, Kelso emphasized that achieving full‑suite protection will be an ongoing effort likely spanning the remainder of the year. He characterized the work as “just chewing away at” the task, reflecting the iterative nature of vulnerability management, patching, and staff training. The utility plans to maintain its engagement with CISA’s scanning service, leverage federal grant opportunities, and integrate lessons learned into its broader resilience strategy. By treating cybersecurity as a persistent, evolving discipline rather than a one‑time project, CCU aims to safeguard its water supply against both current and emerging threats.
Conclusion
Columbus City Utilities’ participation in CISA’s Water Sector Initiatives represents a measured, cost‑effective response to the growing cyber threat landscape confronting municipal water systems. Through automated vulnerability scanning, expert support, and alignment with strategic resilience goals, CCU is fortifying the digital backbone that underpins its essential services. While early assessments show encouraging progress, utility leaders remain vigilant, recognizing that sustained effort, interagency collaboration, and adaptive defenses are essential to protect the community’s water supply in an increasingly interconnected world.