Ep. 5: The Truth About Hackers and (Yes) Your Toilet

Summary

Cyber gangs have threatened municipal water operations from Maine to California, and such attacks are on the rise as more systems go digital. Is it time to decentralize our water supplies? That’s the radical new approach that could protect not just water but other critical infrastructure.

HOST: Mike Curran, vp global talent, Tanium
GUEST: Riggs Eckelberry, CEO, OriginClear

Show notes

Check out these articles in Focal Point, Tanium’s new online cyber news magazine.

• Russia’s Cyberwar Targets Western Critical Infrastructure
• What a Cyber Assault on Our Power Grid Will Look Like
• Why Cybercriminals Target Small Utilities

Transcript

The following interview has been edited for clarity.

Mike Curran: President Biden announced the Water Sector Action Plan last January, I believe?

Riggs Eckelberry: Sure.

Curran: And it was planned to install cyber protections on water systems within 100 days. How successful has it been?

Eckelberry: Well, where’s the funding? I mean, it’s like, OK, you know, King Canute waves and the waters recede? No, you have to actually fund the plan and get behind it.

Curran: Aging water systems, long plagued by disintegrating pipes, now must contend with another danger: In recent years, actors have threatened municipal drinking and wastewater operations across the U.S. from Maine to Florida, Maryland to California, and such attacks are on the rise as more systems go digital.

Hi, I’m Mike Curran, and today on Let’s Converge, we’re talking water safety and critical infrastructure.

Joining me today is Riggs Eckelberry, the CEO of OriginClear, a startup that’s looking to disrupt the trillion-dollar water services industry.

Riggs comes at water from the world of high tech. As president and CEO of the security software company Cyber Defender, he led that firm to an IPO on the Nasdaq. Now he’s looking to create a powerful, profitable “Airbnb for water,” privatizing water treatment and funding it with asset-backed, high-yield water annuities.

So, Riggs, we know that the public water systems are underfunded, but the problem resulting from that underfunding that we usually hear about is health-related. You know, old lead pipes leaching toxins into the water systems, like in Flint, Michigan. But there’s another vulnerability: the risk of cyberattack. How worried are you about a cyberattack on our water supplies?

Eckelberry: Well, Mike, it’s inevitable because we have 150,000-plus water systems, which means there’s a lot of very small ones. They are little, country systems. And as a result, you can get into a problem of just not enough resources to handle the problem.

This is a generalized issue. So as you mentioned, water systems are generally underfunded, to the tune of $75 billion—negative—each year. So we’re digging ourselves this huge hole, and frankly, I think people are worrying less about cyberattacks than about the water quality. And I can’t say they’re wrong.

Curran: When you say “underfunded,” is that just that there’s obvious improvements that need to be made? Or they’re just not voting bonds to fund these systems? Define “underfunded.”

Eckelberry: Well, since the 1970s, the contribution by the federal government to municipal water systems has completely, almost disappeared. In fact, it went from grants to loans. So the federal government got out of the water business completely.

The cities and counties, the water districts that were doing the work, also were faced with increasing demands for water standards. For example, let’s say the arsenic standards were increasing and that created an additional burden. And finally, you have growing populations.

And here’s the most recent factor, which is that you’ve got populations moving from the mega cities out to the boonies. So, hey, it’s great that we moved out to Bergen County. But Bergen County may not have the resources needed, like they had in Hoboken or Staten Island. That’s the problem, is that you have overburdened systems by reason of demand, regulations, and just sheer lack of financing. Luxe Research has quantified this as being roughly $75 billion increasing backlog every year.

Curran: So the problem keeps getting worse year after year.

Eckelberry: But getting back to the cyber issue, at the end of the day, it will have to be the federal government that gets involved, because who’s gonna coordinate it all? Who’s going to have uniform standards for in-depth defenses?

I came out of the security software industry. That’s what I did for years. I took a security software company public in the early 2000s. And the best defense, of course, is in-depth layered defenses. Well, you’ve got logins with the password being the word “password.” I mean, this is not a secure environment.

Curran: Mm. OK.

Eckelberry: What’s good about it is that so far the cyberattacks that have occurred have been defeated by vigilance of individuals. So an individual noticed, Hey, what’s going on here, and, you know, closed a valve or whatever. And that is the upside of relatively legacy systems, as they’re not too complicated; if things go south, they can be stopped. But, you know, at the end of the day, we have to do something.

Curran: It seems like it is being noticed. I mean, President Biden announced the Water Sector Action Plan in January [2022], I believe.

Eckelberry: Sure.

Curran: And it was planned to install cyber protections on water systems within 100 days. How successful has it been, Riggs?

Eckelberry: Well, where’s the funding? I mean, it’s like, OK, you know, King Canute waves and the waters recede? No, you have to actually fund the plan and get behind it.

And meanwhile, you’ve got municipalities. I mean, there’s that story in Compton, California, three, four years ago, where the water started running brown, and the residents said, what’s going on with this? The water district said, well, it’s magnesium, but it doesn’t hurt you. And they went, well, we’d rather have clear water if that’s OK. And the water district said, well, it would’ve been nice if you’d voted the funds for the last 10, 15 years, but you didn’t.

That got resolved by simply being absorbed by the city of LA’s metropolitan district. But still, it illustrates the problem, which is cities and counties have many, many concerns, and water tends to be “outta sight, outta mind.”

And the real issue, in my opinion, and what makes this a scandal, is that 89% of water use is by industry and agriculture—in the United States, roughly equal. So why are the cities and counties having to deal with all of that business and industrial load when they really should be in the business of supplying the people? The residents.

Curran: Right, right, right. Absolutely. But let’s talk a little bit about OriginClear. Your company has a rather ambitious idea: I understand you offer these small modular, prefabricated water treatment systems. They enable companies and housing developments to have their own dedicated water supply. How exactly does that work, Riggs?

Eckelberry: First of all, there’s a trend, an organic trend, toward off-grid water systems. Because, for example, if you’re a housing developer in a very popular area, like Florida, you’re running out of room. It’s location, location, location. And if you want to be located in a pretty good place, you’re gonna look at places that aren’t served by sewage, and then you’re looking at a big bill to pipe it in.

Well, technology exists today to take these completely off-grid, and now you have the opportunity to create housing communities that are truly self-sufficient. And that’s happening already.

We’re working, for example, with a “tiny homes” development in Texas for the homeless. That is quite a fascinating project. And they’ve already committed to doing the water treatment for that site, take care of it so they don’t burden the municipality.

So that’s already happening. Now we are sort of kicking it up a notch by turning it into water-as-a-service, because my opinion is that, sure, some people have all the money they need, but most people don’t. And so if you’re trying to, let’s say, run a brewery, and all of a sudden you’ve got to handle the water, well, generally, you’re not funded to handle the water. Generally, you’re funded to make beer.

So what we say is, look, we’ll just replace the city. You’ll still pay on the meter, but you’ll pay us. And we’ll put in the water system at our expense. We’ll maintain it. You just pay per gallon. And that’s what is generically called water as a service.

We call it “water on demand.” And what’s unique about our program is it’s open to regular investors to come in and get an asset-based investment. So it’s a lot like these master limited partnerships in oil and gas where you can invest in an oil well—you and I can do it. It’s a sophisticated investment, but it’s something anyone can do. And we believe that that is the future of water-as-a-service, is to get regular investors involved.

Curran: Mm. OK. Let’s say I own this brewery. Why would I want to get water-as-a-service versus going through the utility?

Eckelberry: Well, first of all, water rates are rising fast, at sometimes unsustainable rates, 65% higher than ordinary inflation. Number two is that if you’re treating your own water, you can get more than one turn out of it, which is attractive business-wise.

Curran: Yeah. I love the idea of recycling.

Eckelberry: We don’t do enough of it in this country.

Curran: We don’t, we don’t.

Eckelberry: You’ve heard the stats. I mean, it’s crazy. You know, Israel manages to get almost 90% recycling, but they have a command economy; they can basically say, “Let it be so.” We have a very fragmented system. As a result, there’s not a lot of action; the cities have a hard time doing it. I just saw that the Tampa City Council rejected a water reuse program, generally called “Toilet-to-Tap,” which is not a great way to market it. [Laugh.].

Curran: Yeah. [Laugh.].

Eckelberry: So people just kind of don’t like it, so it’s not going to happen centrally; it’s gonna happen at the margins.

Curran: Hmm. OK. Let’s talk about decentralizing the water supply. Why is that a good idea? Why will it keep us safer?

Eckelberry: What you’re getting at is, what about the freshwater being tainted through some cyberattack? The old LSD in the water reservoir story from the ’60s. And that is an issue. There’s no question it’s a big gaping hole.

It’s, you know, it’s funny, you don’t see it happen a lot. Even now, I’m sort of keeping an eye on what’s happening in Ukraine. I haven’t heard of anybody poisoning reservoirs. I think that would be a pretty aggressive act of war. It’s kind of a remote possibility.

What I think is more likely to happen is for the machinery of the city to be interrupted in some way through a cyberattack, and then they can’t physically deliver the water—the pumps break down, or contrary orders are given in the system, and all of a sudden the water pressure goes away.

I think that’s more likely than the tainting of the water. And I think it makes sense. If I were prepping right now, I would be thinking of an alternate water source. I would have my well source set up as a backup. And I think businesses will need to start thinking about their water risk that way.

But you’re still gonna rely on the city for it, the same way that I rely on the electrical grid for my power, but I have a battery backup. You’re still get your water from the city, and then if things fail, you should have a fallback from the aquifer. But unfortunately, it’s a lot of money to spend on an insurance policy.

Curran: The idea of decentralization, can that address cyber risks in other utilities, like the electrical grid?

Eckelberry: In the case of the electrical grid, you have people generating their own power through mostly solar. And that is really good because they can fall back on their own resources.

I’m old enough to have been through the great New York blackout that occurred back in the sixties. So people increasingly have solar. But I think that it’s gonna have to really, really, really get a lot worse for people to seriously start thinking about this. And I think that’s most people’s attitude. It’s like, it’s something that somebody takes care of, and it only worries me if all of a sudden there’s no water.

Curran: Yeah. certainly solar has made some advances. I’m halfway there. I do have solar panels on my roof, but I don’t have the batteries in the garage. So I’m still reliant upon the grid. But you just don’t hear the conversations. And I guess that’s one of the major problems with infrastructures, is the funding. I mean, how do we overcome the funding issues?

Eckelberry: Well, I’ve sort of gotten on a mission: There is a social justice side of this, which is we have populations like what we just saw in Jackson, Mississippi, that are being shortchanged with their health. Lead in the pipes, brown water, all that stuff. It is a scandal.

And if we make it like, “Hey, this is important, and by the way, you don’t have to raise $3 billion to solve the problem; just offload the business and agriculture users through what is now a very mature, decentralized system.” That is a message we’re shouting.

I believe we just have to start through these podcasts, through the press, through various means, get people thinking about, what if we just went for self-reliance? What about that? Why not go self-reliant?

Curran: Let’s go back a little bit to decentralization. You’re uniquely qualified, having brought CyberDefender with an IPO of a cybersecurity software company. So what are the risks? And from a cybersecurity perspective, what’s the advantage? Beause obviously decentralization is expanding the attack surface. Is that not a problem?

Eckelberry: Well, you’re creating fewer points of failure, right? The internet was originally designed to be a failsafe network. It is no longer, but originally it was set up on the basis of these independent nodes that would operate on a store- and-forward basis. It was an effective design. And it was decentralized.

The internet originally was decentralized. Today, we could do the same thing with water. You reduce the points of failure. …Now you’re thinking, well, yeah, but some brewery could get infected. Fine. So the brewery gets infected, but it doesn’t infect the whole network, right? So you’re reducing the amount of problems, and it’s like a blackout of a big energy grid. If there’s a lot of redundancy built into it through solar, et cetera, then it’s not gonna go down quite as fast.

So in general, decentralization is a good thing. And given that we know human nature, there will be vulnerabilities, you know? You ever hear the story about how the Mongols finally conquered the Great Wall of China. They just bribed one of the tower commanders. [Laugh.]

Curran: [Laugh.].

Eckelberry: That was it.

Curran: [Laugh.]. I was expecting something a little bit more expounded than that.

Eckelberry: They just walked in. In other words, the human factor is the big weakness.

Curran: Yeah.

Eckelberry: You can have all the systems you want, but at the end of the day, people are in charge of it. And that’s really the problem: The human link is gonna cause problems. And you’re not going to get out of that. You’re not going to suddenly get rid of the human factor. That’s the nature of it.

So when you decentralize, what are you doing? You’re installing newer systems, you’re modernizing the network. Like, I bought a Tesla. So I therefore modernized. This little platform I have? It’s a smart car; it has all kinds of safety features. I’ve upgraded my whole driving experience with the Tesla.

So water-as-a-service, what we call water-on-demand, is probably the best solution of the problem. And we’re just gonna have to lobby for centralized improvements. But remember, the more we do decentralization, the easier life is gonna be for all those municipal providers.

Curran: Riggs, you mentioned the LSD in the water in the ’60s. But there was a hack in Oldsmar, Florida, the water treatment plant there. That was an example of a break-in. Would you say that critical infrastructure is in the crosshairs of bad actors in nation-states right now?

Eckelberry: Critical infrastructure, yes. I think they’re more focused on power, frankly.

Curran: OK. Why is that?

Eckelberry: It’s more dramatic, right? You can do a lot more harm faster. Take down the grid. Everybody notices you, right?

Curran: Yeah.

Eckelberry: From one second to the next. Thank you very much.

Curran: You still remember the blackout in New York, so I mean, it has long-lasting effects, I guess.

Eckelberry: There was a big birth spike right after that, right?

Curran: [Laugh.]. That’s right.

Eckelberry: [Laugh.].

Curran: Exactly.

Eckelberry: People were spending 12 hours in an elevator. Eventually something happens.

Curran: Yeah. [Laugh.] I’m curious. Riggs, you’ve had an amazing career. Why focus on water systems and cybersecurity needed to protect it at this stage of your career?

Eckelberry: It is true that I didn’t choose to be in water. I came out of high tech and then my first beginning of this company was in a biofuel replacement called Algae. Fascinating. I was having a lot of fun. But in a way, you’re kind of drawn to the things that need you most, I would say.

So willy-nilly, I found myself initially waging uphill battle. Let me tell you, in 2016 when I started talking about decentralized water, people were like, huh? What? Today, people are getting it, you know? More and more people are aware that self-reliance is super important. So I think that high tech is migrating to every industry. Yeah.

The high-tech mentality of disruption and the whole high-tech life cycle, which is a continuous life cycle, is something that’s coming to legacy markets. That’s why Airbnb took over hotels and Uber took over taxis. And it’s gonna happen in water.

It’s happening already. So I’m really feeling like I’m in the right place to be doing this. I love it. You know, it’s so unique. And let me tell you how many people go, oh, you’re doing water. Thank God, thank you, I so appreciate it. People are aware that there’s a problem. They really are.

Curran: Mm-hmm. If you had any advice for the central providers, how can they protect us, the citizens, better?

Eckelberry: Well, first of all, let’s just take one step at a time. Number one, let’s promote the decentralization thing. The more we do it, the more robust the system will be. And that will tend to bring about recycling and so forth.

Number two, let’s try to bring the problem to the attention of policymakers. Like, Hey, we got a problem, let’s do something. Let’s keep pushing along.

Curran: I can hear the passion in your voice Riggs, so I appreciate the time today.

Eckelberry: Such a pleasure, Mike. It’s been a pleasure talking about this. I look forward to you spreading the word. It’s one podcast at a time.

Curran: I’ve been talking with Riggs Eckelberry, CEO of OriginClear.

If you’d like to read more about the rising threats to critical infrastructure and the innovative ways to defend it, check out Tanium’s new online cyber news magazine at Tanium.com. To hear more conversations with today’s top business leaders and security experts, make sure to subscribe to Let’s Converge on your favorite podcast app, such as Apple Podcasts and Spotify. If you liked this episode, please give us a five-star rating.

Thanks for listening. We look forward to sharing more cyber insights on the next episode of Let’s Converge.