Date: January 10, 2022

To: Hon. Melissa Hurtado

Senator, 14th District

From: Gabriel Petek, Legislative Analyst

Subject: Response to Requests on Cyber Resiliency of State’s Water Infrastructure

and Farm-to-Table Pipeline

This memorandum responds to your two letters, dated June 30 and August 9, requesting that
our office draft reports on various cybersecurity issues in two critical infrastructure sectors—
referred to in this memorandum as the water and wastewater systems sector and the food and
agriculture sector. (Our memorandum uses these sectors in place of “water infrastructure” and
the “farm-to-table pipeline” to reflect the focus of our research.) Based on our initial research
and outreach that identified significant data and information limitations in our ability to fully
answer each of your questions, we sent a memorandum to your Chief of Staff, Elizabeth Hess, on
August 27 that proposed a revised scope, format (a single memorandum in response to both
letters), and time line for our response. We understand that our proposed changes were
acceptable to you. Largely using qualitative data sources, we primarily focus our analysis on the
cyberattacks, cybersecurity risks, and certain cybersecurity preparedness measures that appear
similar across critical infrastructure sectors. The remainder of our analysis focuses in a more
limited way on the cybersecurity preparedness measures and any other relevant differences that
we identified in the two critical infrastructure sectors that are of particular interest to you.

EXECUTIVE SUMMARY
Research Shows Increase in Number of Cyberattacks on, and Variation in Cybersecurity
Preparedness of, Critical Infrastructure Sector Entities. The frequency of cyberattacks against
critical infrastructure entities, including in the water and wastewater systems sector and the food
and agriculture sector, are increasing. A number of entities in both sectors under consideration,
nationwide and within California, experienced disruptions in their operations and financial losses
because of cyberattacks. Cybersecurity preparedness of sector entities, however, varies widely.
In general, larger entities with experienced staff and more funding performed more extensive
cybersecurity preparedness activities and provided evidence of better documentation and
planning. By contrast, smaller entities cited a number of barriers to improved cybersecurity
preparedness, though many had recently begun at least some cybersecurity preparedness
activities.
Findings Suggest Lack of Dedicated Cybersecurity Funding and Staff Limits Preparedness
of Critical Infrastructure Sector Entities. Existing research on cybersecurity preparedness of
critical infrastructure sector entities indicates that these entities lack funding for cybersecurity
preparedness. Our interviews reflected this finding. Entities in the water and wastewater systems
To: Hon. Melissa Hurtado 2 January 10, 2022

sector and stakeholders in both sectors indicated a lack of funding available for cybersecurity
activities and staff is a primary barrier to improved cybersecurity preparedness. Moreover, we
found that some sector entities lack familiarity with available resources and best practices to
improve their cybersecurity preparedness; communicate and coordinate little, if at all, with
federal and state government entities; and operate outdated information technology (IT) and
operational technology (OT) systems that cannot be replaced due to funding and/or staff. While
many of our findings relate to both critical infrastructure sectors under consideration, some
findings are sector-specific. For example, in the water and wastewater systems sector, a number
of sector entities found that compliance with federally required cybersecurity-related activities
did not change their activities but merely reaffirmed their current practices, whereas others
benefited from the additional documentation and planning efforts that resulted due to the federal
requirements. In the food and agriculture sector, by contrast, many of the sector entities cited no
federal or state cybersecurity requirements, and had only just begun cybersecurity preparedness
activities in the last couple of years.
Options for Legislative Consideration in Order to Improve Cybersecurity Preparedness of
Critical Infrastructure Sector Entities. In order to improve the cybersecurity preparedness of
critical infrastructure sector entities, including the two sectors of interest to you, our findings
suggest that the Legislature could consider whether requiring sector entities to report significant
and verified cyberthreats or cyberattacks already underway, particularly in the food and
agriculture sector where no reporting requirements currently exist, might improve how state
government entities respond to these threats and attacks. In addition to reporting requirements,
the Legislature could direct the California Governor’s Office of Emergency Services (CalOES),
together with other state government entities in the California Cybersecurity Integration Center
(Cal-CSIC), to submit an outreach plan to inform critical infrastructure sector entities about
available state resources and provide guidance on best cybersecurity practices for legislative
consideration. Lastly, the Legislature also could direct CalOES and other Cal-CSIC partners to
evaluate options for providing critical infrastructure sector entities with grants or other funding
to improve their cybersecurity preparedness, and submit these options to the Legislature. For
sector entities with sufficient funding but insufficient buy-in from entity leadership, the
Legislature might also request that CalOES and other Cal-CSIC partners assess other options
(such as changes in state law, policy, and regulations) to incent entity leadership into allocating
more resources to cybersecurity preparedness. This analysis would need to determine issues such
as overall funding level, funding source, program design, targeted critical infrastructure sectors,
and whether both public and private entities should be eligible for the state financial assistance.
The administration also could consider whether funds should be made conditional on the
adoption of cybersecurity policies and standards that reflect best practices and/or target smaller
entities that face additional barriers to cybersecurity preparedness.

ORGANIZATION OF MEMORANDUM
First, we provide background information on technology concepts and definitions relevant to
a discussion of cybersecurity, federal and state government entities in cybersecurity governance,
critical infrastructure sectors, and the America’s Water Infrastructure Act (AWIA) of 2018.
To: Hon. Melissa Hurtado 3 January 10, 2022

Second, we provide a summary of our research methodology, including mention of the data
limitations we faced in our analytical work. Third, we provide the findings from our research,
organized into four subsections: (1) an overview of the cyberthreat landscape and cybersecurity
preparedness across critical infrastructure sectors, (2) findings that are relevant to entities in both
the water and wastewater systems sector and in the food and agriculture sector, (3) findings that
are specific to entities in the water and wastewater systems sector, and (4) findings that are
specific to entities in the food and agriculture sector. Finally, we provide options for legislative
consideration to improve the cybersecurity preparedness of critical infrastructure entities,
including both sectors covered in this memorandum.

BACKGROUND
In this section, we provide background information necessary to understand our findings and
options for legislative consideration, including information on relevant technology concepts and
definitions, federal and state government entities involved in cybersecurity governance, federally
defined critical infrastructure sectors, and AWIA.

Technology Concepts and Definitions

Types of Cyberattacks. Our memorandum mentions two main categories of cyberattacks:
phishing and ransomware. Phishing is the impersonation of a trusted group or individual to trick
sector entity personnel into providing access to one or more technology systems, sending money,
and/or sharing sensitive data and information. Ransomware refers to malicious software that
makes data and information inaccessible unless the target group or individual pays some amount
of money.
Types of Technology Systems. We reference two different types of technology systems in
this memorandum: IT systems and OT systems. Generally, IT systems manage the collection,
creation, storage, analysis, and distribution of data and other information, whereas OT systems
generally control physical processes and systems. For example, an IT system in the water and
wastewater systems sector might monitor and bill agricultural and residential customers for water
usage and collect payments, whereas an OT system in this sector might control pump stations,
monitor chemical and water tank levels, and take pressure and volume readings from water
distribution networks. (Recent technological trends such as cloud computing have led to some
convergence in these two types of technology systems.)

Cybersecurity Governance
Federal Government Entities. Federal government entities involved in cybersecurity
activities that are mentioned in this memorandum include:
• United States Department of Homeland Security (DHS). Relevant to this
memorandum is DHS’s involvement in cybersecurity, primarily through its
Cybersecurity and Infrastructure Security Agency (CISA). CISA is one of the
federal leads on national cybersecurity issues and coordinates resilience and
security efforts across critical infrastructure sectors. As one of the leads, CISA
provides national directives and guidance, shares information on potential
To: Hon. Melissa Hurtado 4 January 10, 2022

cyberattacks and cyberthreats with other government entities and stakeholders,

and works to secure federal technology systems.
• Federal Bureau of Investigation (FBI). FBI is responsible for the investigation
of cyberattacks (in coordination with other federal government entities such as
DHS). The bureau also operates the Internet Crime Complaint Center (IC3),
which collects reports of internet crime from the public and publishes annual
reports on cybercrime.
• United States Environmental Protection Agency (U.S. EPA). U.S. EPA is
designated by CISA as the sector risk management agency for the water and
wastewater systems sector. (A sector risk management agency is responsible for
helping sector entities identify cybersecurity vulnerabilities, mitigate
cybersecurity risks through technical assistance and consultation, and respond to
cyberthreats and attacks [in coordination with other relevant federal government
entities].) Certain entities in the water and wastewater systems sector also must
certify their completion of risk and readiness assessments and emergency
response plans to U.S. EPA under AWIA. (We discuss AWIA and its
requirements in further detail later in this section.)
• United States Department of Agriculture (USDA) and United States Department
of Health and Human Services (HHS). USDA and HHS (delegated to the federal
Food and Drug Administration [FDA]) are designed by CISA as the co-sector risk
management agencies for the food and agriculture sector.
State Government Entities. State government entities involved in cybersecurity activities
that are mentioned in this memorandum include:
• Cal-CSIC. Cal-CSIC coordinates the state’s cybersecurity activities and
information sharing with federal and other state government entities. Four
partners comprise the core of Cal-CSIC: CalOES, the California Department of
Technology (CDT), the California Highway Patrol (CHP), and the California
Military Department (CMD). CalOES serves as the administrative entity for
Cal-CSIC, employing the Cal-CSIC Commander and Deputy Commander; CDT
assesses cybersecurity policy and protocols in the event of a cyberattack; CHP
looks into cybercrimes affecting state assets; and CMD assess potential
cyberthreats and vulnerabilities across state entities.
• California Department of Water Resources (DWR) and the State Water
Resources Control Board (SWRCB). DWR works with CalOES on disaster
preparedness, mitigation, response, and recovery activities, including from
cyberattacks. SWRCB’s Division of Drinking Water assists with the state’s
drinking water resiliency efforts, including providing information on compliance
with risk and readiness assessments and emergency response plans under AWIA.
To: Hon. Melissa Hurtado 5 January 10, 2022

• California Department of Food and Agriculture (CDFA). CDFA’s Animal

Health and Food Safety Services Division works on food and agriculture system
resiliency, including cybersecurity issues.

Federally Defined Critical Infrastructure Sectors

CISA Defines 16 Critical Infrastructure Sectors. CISA identifies 16 critical infrastructure
sectors with vital assets, networks, and systems that, if debilitated or destroyed, would have
serious effects on national security, the economy, and/or public health and safety. Figure 1
provides a list of these sectors. Our memorandum focuses on the water and wastewater systems
sector and the food and agriculture sector, as defined below by CISA.

Water and Wastewater Systems Sector. CISA defines the national water and wastewater
systems sector as the 153,000 public drinking water systems and more than 16,000 publicly
owned wastewater treatment systems in the United States. (Of those, California has over 7,000
public drinking water systems and about 900 publicly owned wastewater treatment systems.)
U.S. EPA is the sector risk management agency for the water and wastewater systems sector.
(This sector does not include private water companies, which are not covered by our
memorandum, nor does it include the dams sector which is briefly mentioned in this
memorandum.)
Food and Agriculture Sector. CISA defines the food and agriculture sector as the estimated
2.1 million farms; 935,000 restaurants; and 20,000 registered food manufacturing, processing,
and storage facilities under almost entirely private ownership in the United States. (Of those,
California has nearly 70,000 farms and over 90,000 restaurants.) USDA and HHS (delegated to
FDA) are the co-sector risk management agencies for the food and agriculture sector. (This
sector does not include other critical infrastructure sectors with inputs into the food and
To: Hon. Melissa Hurtado 6 January 10, 2022

agriculture sector, such as the chemical and transportation systems sectors, that are not covered
by our memorandum.)

AWIA
On October 23, 2018, AWIA was signed into law. AWIA requires community (drinking)
water systems across the United States that serve more than 3,300 people to certify their
completion of risk and readiness assessments and emergency response plans to U.S. EPA. Risk
and readiness assessments evaluate the risks to, and resilience of, community water systems
across several categories, including the security of IT and OT systems used to convey water.
Emergency response plans incorporate findings from the risk and readiness assessments and
identify resources and strategies to improve the security of the community water systems,
including their cybersecurity. These plans also identify mitigation measures in the event of, as
relevant to this memorandum, a cyberattack that affects the safety and/or supply of drinking
water, such as the identification of alternative drinking water options and operation of physical
infrastructure without the use of IT or OT systems.
In your request, you asked us to estimate how many water and wastewater systems sector
entities in California serve 3,300 or fewer people, meaning that they would not be required by
the federal government to complete these risk assessments and emergency response plans. We
estimate that, while a clear majority of sector entities in California serve 3,300 or fewer people,
only 2 percent of the total state population is served by these smaller entities.

SUMMARY OF RESEARCH METHODOLOGY

The following summarizes our research approach in responding to your request.
Literature Review on Cybersecurity and Critical Infrastructure. Our office conducted a
literature review using publications from federal and state government entities, sector-specific
associations, academic institutions, and other materials provided by sector entities. We also
reviewed available summary-level quantitative data sources on, for example, the number and
types of cyberattacks experienced by critical infrastructure sector entities over the past several
years.
Meetings With Stakeholders in the Water and Wastewater Systems Sector and Food and
Agriculture Sector. Our office also met with state government entities, sector-specific
associations, academic institutions, and individual entities within the water and wastewater
systems sector and food and agriculture sector to discuss cybersecurity issues. To the extent
possible, we met with stakeholders in different geographic locations across the state serving
different populations to better understand any regional variation in cyberattacks or cybersecurity
preparedness. These meetings were kept confidential to protect each of the stakeholders, and no
findings or information from these meetings will be attributed by name to one or more
stakeholders.
Standardized Interviews of Public Water and Wastewater Systems Sector Entities in
California. We interviewed 11 different water and wastewater systems sector entities across a
variety of geographic locations that collectively serve a significant number of state residents. A
To: Hon. Melissa Hurtado 7 January 10, 2022

standardized set of interview questions was used to better survey the cyberthreat landscape,
cybersecurity preparedness activities undertaken, and barriers to cybersecurity preparedness
identified across interviewed sector entities. These interviews were kept confidential to protect
individual sector entities, and no findings or information from the interviews will be attributed
by name to one or more sector entities. (Although we met with a number of food and agriculture
sector entities and stakeholders, we did not employ the use of standardized interviews for the
food and agriculture sector primarily due to time constraints.)
Data Limitations on our Analytical Work. Due to the sensitivity of cybersecurity-related
research, our office was limited in its ability to obtain quantitative data sources (including state-
specific sources). Therefore, in responding to your request, we relied mostly on qualitative data
(often descriptive and/or high-level) from interviews, literature, and meetings to inform the
findings in our memorandum.

OUR RESEARCH FINDINGS ON CYBERSECURITY AND CRITICAL

INFRASTRUCTURE
The landscape of cybersecurity and critical infrastructure is broad, so we organized the
findings from our research into four subsections: (1) an overview of the threat landscape and
cybersecurity preparedness across critical infrastructure sectors, (2) findings that are relevant to
both entities in the water and wastewater systems sector and in the food and agriculture sector,
(3) findings that are specific to entities in the water and wastewater systems sector, and
(4) findings that are specific to entities in the food and agriculture sector.

Overview
Increase in Frequency of Cyberattacks on Critical Infrastructure Sector Entities. Recent
federal data, provided by state government entities, suggests cyberattacks are increasing in
California. In 2020, an estimated 47,000 cyberattacks with payouts totaling $1.2 billion were
reported in California across all entities and sectors. In the first six months of 2021, 38,000
cyberattacks had already been reported in the state (with total payouts unknown), representing an
annual increase of 62 percent (were trends to continue). We are unable to determine from these
data how many cyberattacks were on critical infrastructure sector entities, but qualitative data we
reviewed from academic and government sources suggest a similar pattern for these entities.
According to officials in state government, for example, at least a couple dozen entities in the
state’s food and agriculture sector reported cyberattacks in the first two months of 2021, the
majority of which were ransomware attacks. Water and wastewater systems sector entities in the
state also experienced several cyberattacks, some of which led to a loss of sensitive data and of
entity control of one or more OT systems. Several water and wastewater systems sector entities
we interviewed cited significant increases in attempted cyberattacks, some of which were
successful but remediated thereafter.
Cybersecurity Preparedness Varies Widely Across Critical Infrastructure Sectors.
Cybersecurity preparedness across different critical infrastructure sectors varies based on the
current legal, policy, and regulatory frameworks for addressing cybersecurity risks in a particular
sector. In the nuclear reactors, materials, and waste sector, for example, federal regulators
To: Hon. Melissa Hurtado 8 January 10, 2022

developed comprehensive cybersecurity regulations for nuclear power plants and routinely
inspect their cybersecurity plans and protocols. In the water and wastewater systems sector,
federal documentation and planning does identify cybersecurity risks, but compliance measures
such as the emergency response plans and risk and readiness assessments under AWIA are fairly
new. Cybersecurity practices are identified in federal documentation and planning for the food
and agriculture sector, but risks in the sector itself are identified as an area of interest to be better
understood.

Findings Relevant to Both Entities in the Water and Wastewater Systems Sector
and in the Food and Agriculture Sector
Three Primary Areas of Cybersecurity Vulnerability Common to Both Sectors. Our
research found three primary areas of vulnerability that are common to entities in both sectors of
interest:
• Phishing Cyberattacks on Sector Entity Personnel. More sophisticated phishing
attacks are increasingly targeting sector entity personnel. According to FBI IC3
data from 2020, phishing was the top cybercrime reported to federal authorities by
the public. A majority of California water and wastewater systems sector entities
interviewed cited these attacks as a primary vulnerability, and almost all
successful cyberattacks on these entities started with phishing. Phishing can be a
vector for ransomware. Academic and state government entity sources cited
numerous ransomware attacks last year on food and agriculture sector entities
nationwide and in California, leading to temporary disruptions in operations and
millions paid to attackers.
• Outdated IT and OT Systems. Entities in both sectors cited outdated IT and OT
systems as a primary vulnerability for additional cyberattacks. In your request,
you asked if we could determine the age of IT and OT systems in water and
wastewater systems sector entities and evaluate the need for physical and/or
technological upgrades. While information was not available to allow us to
determine the age of these systems statewide, water and wastewater systems
sector entities we interviewed estimated the age of some of their systems at
upwards of 25 years old. Interviews with sector entities and other sources
confirmed that OT systems in general were more likely to be outdated than IT
systems. Entities in both sectors cited deficiencies in their cybersecurity
preparedness from unpatched software, unsupported hardware, and other systems-
related risks that, without more funding and staff, could not be addressed.
• Inadequate Access Management. Interviews with sector entities and meetings
with stakeholders highlighted access management as a primary vulnerability. A
number of cyberattacks cited by stakeholders involved former or current
employees who were able to gain unauthorized access to sector entity systems
because basic cybersecurity protocols (such as multifactor authentication or
revoking credentials) were not employed by sector entities. Other vulnerabilities
cited by stakeholders and water and wastewater systems sector entities were
To: Hon. Melissa Hurtado 9 January 10, 2022

deficient remote access controls and lack of adequate division of IT and OT

system networks.
Cybersecurity Preparedness of Entities in Both Sectors Limited by Funding for
Cybersecurity Programs, Staff, and Technology. Each of the three primary vulnerabilities
identified above were attributed to a lack of dedicated funding for cybersecurity programs, staff,
and technology. Interviews with water and wastewater systems sector entities and meetings with
stakeholders in both sectors confirmed that funding dedicated to, or potentially available for,
cybersecurity purposes varies widely among sector entities. For example, within the water and
wastewater systems sector, some entities we interviewed receive dedicated cybersecurity funding
approved by their leadership, while others draw from existing IT department budgets. A few
entities sought federal grant funding, but most did not or were ineligible for available funds. We
make the following additional findings about funding limitations (an issue that is relevant to both
sectors).
• Cybersecurity Programs With More Buy-In From Sector Entity Leadership
Generally Received More Funding for Cybersecurity Preparedness. In general,
cybersecurity programs at larger water and wastewater systems sector entities
were supported by their leadership and, likely as a result, had higher cybersecurity
budgets to perform cybersecurity preparedness activities. Some of the smaller
sector entities cited a lack of buy-in from leadership as a primary barrier to
improved cybersecurity preparedness and, as a consequence, relatively smaller
budgets for their cybersecurity programs. (At least one sector entity said their
cybersecurity program funding was sufficient, but that a lack of buy-in from
entity leadership remained.) Another water and wastewater systems sector entity
said they were currently operating at a significant financial deficit, which limited
any additional cybersecurity spending to the receipt of federal and other grants.
Stakeholders in the food and agriculture sector also cited a lack of buy-in from
leadership and the resulting lack of funding for their cybersecurity programs as
primary barriers to improved cybersecurity preparedness. One sector entity
expressed particular concern at the amount of their cybersecurity program budget
due to the complexity and size of their agricultural cooperative.
• Funding Limitations Create Cybersecurity Staffing Issues in Water and
Wastewater Systems Sector Entities. Almost all of the water and wastewater
systems sector entities we interviewed expressed frustration with the impact of
funding limitations on hiring and retaining cybersecurity staff with the requisite
experience and expertise. Some entities hired third-party vendors with available
funding to alleviate this lack of available staff, but a number of other entities
asked existing staff not currently performing cybersecurity duties to also perform
these activities in a more limited way (so as to accommodate their current
workload). Entities in the food and agriculture sector cited similar concerns on
finding experienced staff or third-party vendors familiar with the cybersecurity
issues in their sector.
To: Hon. Melissa Hurtado 10 January 10, 2022

• Entities in Both Sectors Do Not Have Adequate Funding to Replace Outdated

IT and OT Systems. A number of water and wastewater systems sector entities
we interviewed cited inadequate funding and staff to replace outdated IT and OT
systems. One sector entity estimated millions of dollars of one-time funding
would be necessary to be spent over several years to update their IT and OT
systems. Other sector entities said at least some ongoing funding would be
necessary, as network monitoring and other ongoing cybersecurity-related
services were needed in addition to system upgrades. Securing funding to replace
outdated IT and OT systems was also a priority for the food and agriculture
sector. According to one academic stakeholder in the sector, only 8 percent of
sector entities currently have active network monitoring software in large part due
to lack of funding.

Findings Specific to Entities in the Water and Wastewater Systems Sector

Smaller Entities Generally Less Prepared for Emergencies Caused by Cyberattacks. In
your request, you asked our office about the preparedness of water and wastewater systems
sector entities to respond to changes in the safety and/or supply of water due to a cyberattack (as
well as possibly other concurrent emergencies such as electricity blackouts or wildfires). Most
water and wastewater systems sector entities we interviewed said that in the event of a
cyberattack that disrupted the entity’s IT and OT systems, entity staff would be deployed to
operate water infrastructure manually. Some of these sector entities cited IT and OT system
segmentation (that is, separating access to, and use of, IT and OT systems from one another) as
one key defense against cyberattacks compromising all of an entity’s systems. Other water and
wastewater systems sector entities cited backups and redundancies as another key defense to
bring at least some of the entity’s systems back online. Some of these sector entities also listed a
number of secondary water sources in their area, such as groundwater wells, and interagency
agreements with other sector entities in the event of disruptions in available water sources. For
multi-disaster events, most water and wastewater systems sector entities said backup generator
capacity was available and sufficient to operate most of their water infrastructure. A number of
these sector entities provided information from their emergency response plans and other
documentation to describe how main offices and field offices (as well as other entities such as
federal, state, and local government entities) would communicate and coordinate their responses.
One important difference in emergency preparedness was between larger and smaller water and
wastewater systems sector entities. Smaller sector entities, particularly those entities that cover a
large geographic area, expressed concern about reaching field offices in a reasonable amount of
time to mitigate cyberattacks through, for example, manual operation of infrastructure because
not all field offices are fully staffed. Some of these entities also expressed concern about
secondary sources of water not being available in the event of a disruption, particularly due to
the current drought in many parts of the state.
Federal Risk and Readiness Assessments and Emergency Response Plans Helped Some
Entities More Than Others. Our interviews with water and wastewater systems sector entities
showed wide variation in how these entities used federal risk and readiness assessments and
emergency response plans (if required) to inform their cybersecurity preparedness activities.
To: Hon. Melissa Hurtado 11 January 10, 2022

Some entities we interviewed that were not as familiar with cybersecurity preparedness benefited
from the increased communication between IT departments, leadership, and operations teams
that resulted from these assessment and planning activities. These entities also cited better
documentation and planning, and more awareness of cybersecurity vulnerabilities. Other entities
we interviewed, however, said they benefited little from the assessments and plans. These
entities said the process merely reaffirmed their current practices, rather than changing how they
communicate or prepare for cyberattacks. A small number of entities found the process revealed
a lack of interest and participation from leadership and a siloed internal approach to
cybersecurity preparedness.
Federal Plans Did Not Appear to Lead to Improvements in Majority of Systems. In your
request, you asked our office to determine how many entities in the water and wastewater
systems sector implemented improvements based on the federal risk and readiness assessments
and emergency response plans required under AWIA. Based on the interviews we conducted, a
majority of water and wastewater systems sector entities did not identify and/or implement
improvements through this process. Rather, many of these entities cited existing technology
modernization plans already in place before federal compliance efforts were underway as the
primary driver of their cybersecurity improvements.

Findings Specific to Entities in the Food and Agriculture Sector

Cybersecurity Issues New to Many Food and Agriculture Sector Entities. Compared to the
water and wastewater systems sector entities we interviewed and stakeholders we met, food and
agriculture sector entities seemed generally less familiar with cybersecurity issues. Though some
stakeholders acknowledged the increased use of IT and OT systems in the food and agriculture
sector, a number of them either cited the risk of cyberthreats in this sector as low (relative to
other critical infrastructure sectors) or as needing further investigation. One of the food and
agriculture entities we spoke to said cybersecurity preparedness is important, but cited other
potential risks such as water scarcity as reducing the relative priority of cybersecurity.
Information Sharing Less Frequent in Food and Agriculture Sector. In your request, you
asked our office whether there are federal and/or state reporting requirements around
cyberattacks on the food and agriculture sector. We found that there are currently no such federal
or state reporting requirements pertaining to the food and agriculture sector. State government
entities said they use their own intelligence sources to uncover which sector entities were victims
of cyberattacks, but that this information is incomplete because they rely on sector entities to
voluntarily share cyberattack and cyberthreat information. One academic stakeholder also cited
another reason for less frequent information sharing in the food and agriculture sector: trade
secret management. Trade secrets include information about, for example, formulas or practices
and processes that companies protect as intellectual property. Sector entities might be reticent to
share information about cyberattacks and cyberthreats if information sharing might mean
disclosure of trade secrets and/or other confidential information. As mentioned, food and
agriculture sector entities also might be unaware of cyberattacks and/or cyberthreats against them
because of the lack of active monitoring of networks and other cybersecurity preparedness
activities.
To: Hon. Melissa Hurtado 12 January 10, 2022

Large Food and Agriculture Companies and Cooperatives Combine Many IT and OT
Systems, Increasing Cybersecurity Risks. One academic stakeholder in the food and agriculture
sector noted how large agricultural companies and cooperatives, often formed through mergers
and acquisitions, result in a patchwork of legacy and modern IT and OT systems supporting their
operations. Whereas some other critical infrastructure sectors have federal guidance on IT and
OT systems accumulated through, for example, mergers and acquisitions, the food and
agriculture sector does not. This patchwork of systems exposes food and agriculture sector
entities to increased cybersecurity risks and can limit their preparedness.
International Supply Chain in Food and Agriculture Limits Reach of State Authorities.
The supply chain of California’s food and agriculture sector is international and widely varied,
with numerous entities of all sizes and at multiple places in the supply chain operating outside of
California in other countries and states. This variation makes new state authorities on
cybersecurity preparedness in the food and agriculture sector, as compared to the water and
wastewater systems sector, more limited in their effect and reach. Some stakeholders we spoke to
also cited this variation as one reason emergency preparedness planning was more difficult.

OPTIONS FOR LEGISLATIVE CONSIDERATION TO IMPROVE THE

CYBERSECURITY PREPAREDNESS OF CRITICAL INFRASTRUCTURE
SECTOR ENTITIES
Based on our findings, we offer the following options for legislative consideration in order to
improve the cybersecurity preparedness of critical infrastructure sector entities, including the
water and wastewater systems sector and food and agriculture sector. Implementation of these
options likely would depend on the unique organizational and ownership characteristics of the
sectors affected and, therefore, these characteristics should be considered for each option.
Improve Information Sharing Between State Government Entities and Critical
Infrastructure Sector Entities, Particularly in the Food and Agriculture Sector. Another
barrier to cybersecurity preparedness of critical infrastructure sector entities identified by our
research was a lack of information sharing between state government entities and sector entities.
A potential option for legislative consideration is the adoption of reporting requirements for
certain sector entities when a significant and verified cyberthreat is identified and/or a
cyberattack is underway. Key considerations for the Legislature include the types of sector
entities that would be required to report cyberthreats and cyberattacks, the time line within which
reports would need to be made by sector entities, and the state government entities that would
receive (and act on) these reports. The Legislature could consider starting with entities that
currently are not required by federal or state law or policy to report cyberthreats or cyberattacks,
such as those in the food and agriculture sector. Additional funding for increased state operations
costs to receive and process reports from sector entities likely would be required, along with
additional outreach to entities newly covered by the reporting requirements.
Increase State Government Entities’ Outreach to Critical Infrastructure Sector Entities on
Available Cybersecurity Resources and Best Practices. Critical infrastructure sector entities cite
a lack of familiarity with cybersecurity issues as one of the barriers to improved cybersecurity
To: Hon. Melissa Hurtado 13 January 10, 2022

preparedness. Another potential option for legislative consideration to increase sector entities’
awareness and interest in cybersecurity is by providing additional funding for state government
entities to reach out to sector entities about available cybersecurity resources and best practices.
The Legislature could direct CalOES (as the administrative entity for Cal-CSIC) to prepare a
multiyear outreach plan, including an estimate of requisite funding to provide additional
outreach. Key considerations for the Legislature include delegation of responsibility for specific
outreach efforts (for example, CDT for cybersecurity policy guidance), funding sources for any
funding needed by state government entities for additional outreach, and quantifiable measures
of success to evaluate the multiyear outreach plan after its implementation.
Evaluate Options to Provide Critical Infrastructure Sector Entities With Funding to
Improve Their Cybersecurity Preparedness. One of the primary barriers to improvements in the
cybersecurity preparedness of critical infrastructure sector entities identified by our research was
a lack of adequate funding for cybersecurity activities and staff, typically reflecting
circumstances where there was a lack of buy-in from entity leadership to dedicate available
funding for this purpose. To address this issue, the Legislature could direct CalOES and other
Cal-CSIC partners to evaluate options for providing critical infrastructure sector entities with
grants or other funding to improve their cybersecurity preparedness, and submit these options to
the Legislature. For sector entities with sufficient funding but insufficient buy-in from entity
leadership, the Legislature might also request that CalOES and other Cal-CSIC partners assess
other options (such as changes in state law, policy, and regulations) to incent entity leadership
into allocating more resources to cybersecurity preparedness. This analysis would need to
determine issues such as overall funding level, funding source, program design, and targeted
critical infrastructure sectors. Another policy issue for the administration’s analysis to consider is
whether the state financial assistance should be granted to both public and private entities. The
administration also could consider whether funds should be made conditional on the adoption of
cybersecurity policies and standards that reflect best practices and/or target smaller entities that
face additional barriers to cybersecurity preparedness. This set of baseline policies and standards
could be defined by the state government entity that administers the funds, in consultation with
the Legislature and other stakeholders.
If you would like a briefing and/or have any questions on this memorandum, please feel free
contact the memorandum’s author, Brian Metzker, at Brian.Metzker@lao.ca.gov.