EPA issues water cybersecurity mandates, concerning industry and experts
A day after the Biden administration issued its national cybersecurity strategy urging new regulations for the critical infrastructure sector, the Environmental Protection Agency released a mandate for the water sector on Friday. The regulations require states to ensure that public water systems “evaluate the adequacy” of any digital defenses through sanitation surveys.
The mandate is “a significant step forward to increase the cybersecurity Americans routinely rely on,” Anne Nueberger, deputy national security adviser for cyber and emerging technology, said during a media briefing on Thursday. Furthermore, she said, it represents the ongoing work the administration is doing with the private sector “to share with them where we see gaps in cybersecurity, and how we can close those gaps.”
EPA Assistant Administrator Radhika Fox echoed the need for greater cybersecurity protections inside the water sector. “Many [facilities] don’t even have basic cybersecurity practices in place, as a result the water sector, a critical infrastructure sector to the United States, is at risk of cyberattacks.”
The water sector has been aware of the issue for years and have not shied away from regulations. A 2021 study by the American Water Works Association called for cybersecurity regulations similar to those of the electric grid with industry creating minimum cyber rules with oversight from the EPA.
While the administration and experts have expressed growing concerns about cybersecurity risks inside the nation’s water plants, especially after the attempted poisoning of the water supply in Oldsmar, Florida, in 2021, many industry experts suggest the new regulations could do more than harm than good.
Cybersecurity experts have noted that sanitation surveyors do not have the knowledge to adequately assess the complex subject of protecting industrial systems from cyberthreats that could range from insider attacks to nation-state hacks. Additionally, many insiders say the mandate issued Friday was not developed in collaboration with industry groups, despite the administration’s pledge to work alongside stakeholders when developing new cyber regulations.
In a blistering letter sent on Jan. 25 to EPA, a coalition of water trade groups said that the plan to add cybersecurity to the water sanitation surveys was “ill-advised, impractical, and are not designed to meaningfully improve system resiliency.” Additionally, the letter questions the legality of the memo that has been called an interpretation by the EPA of existing authorities under the Safe Drinking Water Act. The trade groups, however, say that the regulations are not “legally justifiable, as interpretive rules must not set new legal standards or impose new requirements.”
Another letter from the Association of State Drinking Water Administrators noted concerns around: “lack of subject matter expertise, lack of a standard to measure against, protection of sensitive information, potential liability for the states, the low frequency of sanitary surveys compared to rapidly evolving cybersecurity threats, and the state staff burden for assessing and monitoring systems’ cybersecurity activities.”
Depending on how many customers a public water utility serves, the sanitation surveys occur once every three to five years, an extensive amount of time compared with the rapid pace that cyberthreats evolve.
Asked for comment, Shayla Powell, a public affairs specialist at EPA, said in an emailed statement that “EPA interprets this regulation to require that when a PWS uses operational technology, such as an industrial control system (ICS), as part of the equipment or operation of any required element of a sanitary survey, then the sanitary survey of that PWS must include an evaluation of the adequacy of the cybersecurity of that operational technology for producing and distributing safe drinking water.”
Additionally, Powell noted that “EPA and the Association of State Drinking Water Administrators convened in 2022 a workgroup of representatives from state and tribal drinking water agencies to discuss evaluating cybersecurity in PWS sanitary surveys. Over the course of four months, EPA engaged with the workgroup on their issues of concern and solicited comments on potential approaches to address them.” The statement also says that EPA participated in discussions with the Water Sector Coordinating Council which includes multiple major industry water groups.
The public comment period on the memo and guidance is open until May 23. The EPA is also providing “technical assistance and resources to assist states and water systems as they work towards implementation of a robust cybersecurity program,” according to the press release. “As we issue this implementation memorandum, we are committed to partnering with states in exercising their authority,” said the EPA’s Fox.
The regulations would allow for utilities to have multiple options in how they conduct the assessments through the sanitary surveys. Water utilities can conduct a self-assessment or an approved third-party resource such as a Cybersecurity and Infrastructure Security Agency cybersecurity adviser, through the EPA’s water sector cybersecurity evaluation program, or a “private sector technical assistance provider” that has state approval. States can also themselves conduct the assessment or have a cybersecurity program which covers all critical infrastructure.
Mike Hamilton, CISO of cybersecurity firm Critical Insight, said that self-assessments are usually “aspirational” and don’t usually paint the full picture. Additionally, the vast number of water utilities presents a massive scalability problem if there is too much reliance on DHS or EPA.
“It’s a bit disheartening that the third-party assessment resources seem limited to DHS, EPA, and States, making this activity hard to scale across the breadth of water utilities across the country,” said Hamilton. “Allowing for private-sector cybersecurity companies to perform assessments would accelerate the collection of information and the development of corrective action plans.”