Cybersecurity of Infrastructure

Aqua America's facilities supply drinking and wastewater to several million people, which makes them a large enough target for cyber attacks. 

While Aqua America's CSR report highlights some measures to protect the privacy of utility customers, consumer data is not the only target to protect. Meanwhile, peer companies such as American Water Works have published comprehensive studies on their core infrastructure cybersecurity risks (one of their workshop slides is the image of this Ask). 

More and more attention has been growing around the vulnerabilities of core industrial systems, with many hackers likely already having access to such systems. The Department of Homeland Security's National Cybersecurity and Communications Integration Center issued an alert last October that such access counts as an Advanced Persistent Threat.[0] In a KPMG report, apparently 48% of power and utility CEOs believe cybersecurity attacks are inevitable.[1]

It's clear that the US has faced increased cybersecurity attacks from other governments and sophisticated attackers. 

As shareowners, we don't want Aqua America to be the weakest link. 

Aqua America management: please take more proactive measures to assess the state of your security and close vulnerabilities. This is a material risk. 

As shareowners, we would like to see WTR retaining the services of an independent, professional penetration testing firm, with which you have not previously retained (fresh eyes), to submit an independent report. And please disclose in your next annual report the # of CVE (critical vulnerabilities) they found and the number of CVEs that you have since closed. 

The second step would be to create and operate a bug bounty program, which is an effective way of managing security risks while reducing costs compared to a sophisticated internal red team.