A White House announcement that the Environmental Protection Agency will delegate cybersecurity regulation for state water utilities through local sanitation inspections is receiving a growing amount of pushback from industry groups and cybersecurity experts.
The decision follows months of public dispute between the water sector and the EPA over how to adequately monitor the water supply for cyberthreats, an increasing concern following cyberattacks on water facilities in California and Florida.
Anne Neuberger, deputy national security adviser for cyber and emerging technology, revealed the administration’s plans during an interview last week, saying she believes the EPA is well-equipped to ensure the cybersecurity of the sector is “holistically considered.”
Enforcing cybersecurity regulations across the vast water sector is no small undertaking. Industry officials say there are 51,000 drinking water systems nationwide and an estimated 85 percent of water companies are municipal and sometimes very small.
By not tailoring the approach to better assess and confront different utilities’ cybersecurity needs, and by relying on workers untrained in cybersecurity to carry out audits, industry groups say the EPA could be setting up a system that misses cyberattacks.
Industrial cybersecurity experts also scoffed at the notion that state sanitation inspectors can effectively monitor and regulate cyber controls.
“Many of the water clients we work with have contracting firms that do basic IT services for them split across multiple companies because it’s the only way they can afford it,” said Rob Lee, CEO of Dragos, an industrial cybersecurity firm. “There is not the skill sets to go audit these [utilities] and there’s not a large set of cybersecurity skill sets in general, let alone in every single state [sanitation department]. I think it’d be impossible to pull this off.”
A spokesperson for Neuberger at the White House National Security Council (NSC) told CyberScoop that there are currently no minimum cybersecurity mandates for the water sector and the Biden White House is working across the administration, industry and Congress to ensure every critical sector has minimum cybersecurity standards in place.
“These mandates are foundational to getting the sector the resources necessary to improve their cybersecurity – specifically to the 1,600 water companies that are critical due to the population size they serve,” the NSC spokesperson said via email. “There is no one-size-fits all approach to securing critical U.S. infrastructure since every sector is so different.”
The NSC spokesperson said the administration is working closely with the EPA to better secure the water sector and that change will take time. An EPA spokesperson said the agency has “engaged with our valued water sector partners on this important topic.”
But the country’s largest water industry group, the American Water Works Association (AWWA), said the EPA has ignored its outreach and forged ahead with the rule change without engaging. Kevin Morley, the head of federal relations for AWWA, said sanitation reviews are largely visual inspections to ensure water utility’s physical equipment — tanks, pipes and the like — is working effectively.
“We see significant challenges on the implementation side for the state to even evaluate some of the most basic cybersecurity controls that we would think would be appropriate,” Morley said. “How do you assess other than just [the sanitation inspector] saying, ‘Yeah, I did that.’”
Neuberger said last week that she is confident EPA staff “have the basis of knowledge” to ensure cybersecurity standards are effectively regulated.
But Rep. Jim Langevin, D-R.I., an influential member of the House Homeland Security Committee and the Cyberspace Solarium Commission, said in June that the EPA “faces challenges in meeting its responsibilities” against cyberattacks.
CyberScoop reported in June that the EPA’s cybersecurity arm within the Office of Water has at most $7 million in its annual budget for cybersecurity, far short of the $45 million the CSC recommended in its final report in March 2020. The EPA has declined to comment on that contention.
The CSC’s report decried the lack of coordination between the public and private sectors in monitoring and regulating water utilities’ cybersecurity practices and sounded alarms about water sector preparedness for cyberattack.
There is precedent for hackers infiltrating water utilities. In February 2020, a hacker infiltrated remote access software shared by employees at a Florida water plant, raising lye to more than 100 times normal levels.
Langevin has backed up the water sector’s claims about the EPA’s staffing and budget shortfalls, saying in June that until the EPA is “appropriately resourced and empowered to fulfill its critical mission” as the risk management agency for water, it will be difficult to bolster the sector’s security.
Lee from Dragos said it’s a thorny dilemma, particularly with so many utilities facing vastly disparate challenges based on their size and funding. The underlying problem is how to pay for the cybersecurity the water sector should have, he said — a problem that Lee said is compounded by the fact that water utilities cannot easily raise fees due to their monopoly status.
Utilities “don’t have the resources to do cybersecurity today so just telling them that now they must, and they must do it through regulation, still doesn’t change the economic situation,” Lee said. “There’s a whole people, process, technology and regulatory shift that needs to happen … They’re gonna have to spend a long time — we’re talking years — to resource and build up staff.”
Clarified 8/7/22: to include comment from the White House National Security Council