Federal cyber mandate looms for local water systems

By Hannah Northey, Christian Vasquez | 08/30/2022 01:56 PM EDT

The coming federal mandate has fueled concerns in the water sector about the ability of cash-strapped states with limited cyber expertise to shoulder such a hefty and quickly evolving responsibility.

Water faucet with binary code hacking  illustration.

EPA is working on new rules that would require states to assess cybersecurity measures at water utilities. Claudine Hellmuth/E&E News (illustration/animation); EPA (faucet); Kjpargeter/FreePik (binary code)

EPA is set to unveil a new federal mandate requiring states to expand inspections of about 1,600 water systems to include cybersecurity threats, according to a senior administration official.

The official, who asked to remain anonymous in order to speak candidly, said EPA is not issuing a new rule but instead will release a so-called implementation memo based on the agency’s existing authority under the Safe Drinking Water Act.

Ultimately, states already responsible for inspecting everything from tanks to pumps and operations at hundreds of public water systems across the nation would also be responsible for ensuring utilities are protected against hackers.

Advertisement

A source familiar with the plan said the memo could be released this fall.

The plan, which has been debated for almost a year now, has fueled concerns in the water sector about the ability of cash-strapped states with limited cyber expertise to shoulder such a hefty and quickly evolving responsibility.

The senior administration official said the administration is aware of those concerns and they are working with members of Congress to make sure states have the resources, staffing and training needed to get the work done to address vulnerabilities in water security that could affect drinking water systems.

“The idea would be to help get them the resources and folks they need who can help in the cybersecurity space,” the official said.

EPA in a statement highlighted the various ways the agency is boosting cybersecurity across the water sector using its available authorities and resources, as well as actively implementing the Biden administration’s strategy for securing critical infrastructure.

The agency also said it’s partnering with states to help them identify assessment and technical assistance and has encouraged states to use an influx of funding through the infrastructure package to tackle both resiliency and emerging threats like cyberattacks.

Cybersecurity in the water sector took the limelight last year after hackers successfully gained control of a Florida water utility’s operating systems (Energywire, Feb. 10, 2021).

In July, Anne Neuberger, deputy national security adviser for cyber and emerging technology for the White House, said at an event hosted by the Center for a New American Security that EPA would soon issue a rule requiring states to oversee more than 1,000 water utilities’ cybersecurity plans as part of ongoing sanitary surveys (E&E News PM, July 29).

Touting Biden’s “relentless” focus on securing critical infrastructure from cyberthreats, Neuberger said EPA has the “basis of knowledge” to ensure that the water sector is protected from hackers, but the agency needs Congress to add additional authorities.

EPA’s rule would arrive almost a year after the Biden administration asked Congress to give EPA additional authority to regulate cybersecurity in the water sector (E&E Daily, Nov. 4, 2021).

Confusion mounts

The rule has yet to materialize, and those closely watching EPA say they’ve heard nothing is in the works.

“We do understand that EPA expressed an intent to introduce an interpretive rule. We are not aware of any planned action as suggested by White House staff in conversations with EPA as indicated,” said Kevin Morley, manager of federal relations for the American Water Works Association. “Action might be something other than a rule.”

The Biden administration first revealed it was crafting a cybersecurity rule for the water sector last year in its fall regulatory agenda for 2021, with a completion date of April 2021.

In the agenda, the White House wrote that “sanitary surveys, which states, tribes, or the EPA typically conduct every 3 to 5 years on all public water systems, should include an evaluation of cybersecurity to identify significant deficiencies.”

“EPA recognizes, however, that many states currently do not assess cybersecurity practices during public water system sanitary surveys,” the agenda continued. “This action is necessary to convey to states that EPA interprets existing regulations for public water system sanitary surveys as including the possible identification of significant deficiencies in cybersecurity practices.”

But that same agenda item was later pushed back in the White House’s spring regulatory agenda, where it’s now listed as potential, long-term regulatory action with no finalization date. Now, the agenda states that EPA is “evaluating regulatory approaches to improve cybersecurity at public water systems” and “plans to offer separate guidance, training, and technical assistance to states and public water systems on cybersecurity.”

The water sector has acknowledged there’s a need to boost its cyber protections.

Last year, a survey of 606 drinking and wastewater organizations by the Water Sector Coordinating Council found half spent less than 5 percent of their budget on IT security. The smallest utilities that service less than 3,300 people spent less than 1 percent on information or operational technology security.

The WSCC survey noted that many utilities “are subject to economic disadvantages typical of rural and urban communities. Others do not have access to a cybersecurity workforce.”

Industry, congressional pushback

While most in the water sector agree cybersecurity protections need to be stepped up, there are varying opinions on how to get there.

Robert Powelson, president of the National Association of Water Companies, a trade group representing investor-owned utilities, told The Wall Street Journal late last year that the water sector is highly fragmented but needs regulations akin to those for interstate transmission of electricity. Powelson also dismissed talk of voluntary standards as ‘hogwash.”

Others criticized EPA’s approach of expanding sanitary surveys to include cybersecurity.

“The sanitary survey is the wrong tool,” said Morley. “This is not the traditional skill set that the sanitarian has when they go out and do what they normally do under the survey.”

Danielle Jablanski, operational technology cybersecurity strategist at the cybersecurity firm Nozomi Networks, said that measuring success with new regulations could be hampered if there’s little consideration that utilities don’t have access to the same resources.

The same applies to state and local government where there can be a patchwork of varying degrees of knowledge and access to resources, Jablanski said. Additional federal partnerships with state and local governments can be a boon as they have the “on the ground tacit knowledge” of how a cyberattack can impact local citizens.

Additionally, Jablanski said that one of the major points missing from the conversation is the amount of information that has been gathered by malicious hackers. Ransomware and theft of intellectual property has been rampant in critical infrastructure for years, and that pilfered information could be used for future attacks.

The water sector, for its part, says it’s already combating cyberthreats, as required by America’s Water Infrastructure Act of 2018, Section 2013 updates the Bioterrorism Act of 2002.

The update requires utilities to conduct risk and resilience assessments and have emergency response plans that include cybersecurity. Utilities are not given a specific list of prescriptive cybersecurity requirements but instead need to consider potential threats and plan how to improve resilience against hackers. Utilities must submit a certificate to EPA every five years.

Last week, EPA sent Congress a report — as required by the bipartisan infrastructure package — that laid out the future support it plans to offer small water utilities, including “cybersecurity checklist guidance and training” through a collaborative stakeholder process as early as next year.

Even so, EPA has been the subject of concern from many policymakers.

Rep. Jim Langevin (D-R.I.), chair of the House Armed Services Subcommittee on Cyber, Innovative Technologies and Information Systems, said earlier this year that “EPA itself also faces challenges in meeting its responsibilities when it comes to the day-to-day relationship between the federal government and their water sector.”

A report released by the Foundation for Defense of Democracies in November painted a starker tone.

The report notes that the Office of Water, tasked with leading the agency’s cybersecurity efforts, only has a handful of employees and is “vastly under-resourced.”

Stresses on states

The water sector will be watching to see how EPA addresses their concerns about the knock-on effects for cash-strapped state agencies with limited expertise and weak disclosure rules.

In a letter to EPA Assistant Administrator for Water Radhika Fox last year, groups including the American Water Works Association and the Association of Metropolitan Water Agencies, or AMWA, which represents metropolitan drinking water suppliers, said their repeated concerns about EPA’s pursuit of a “direct final interpretive rule” had not been addressed.

Ultimately, the groups said water and wastewater systems collaboratively — not just EPA — should come up with a solution to hacking threats.

The groups warned that state regulators conducting the surveys aren’t qualified to gauge whether water systems can thwart hackers, and their mistakes could fuel “misinformation” in the media, reputational harm or fines. What’s more, the groups warned there are no federal or state statutes to ensure what information inspectors do collect won’t be publicly disclosed, which could send a green light to hackers that the utility is insecure.

Dan Hartnett, a spokesperson for AMWA, said he fears EPA’s mandate would cut out public comment and stress state officials already facing tight budgets. That’s partially because the Administrative Procedure Act exempts interpretive rules from its notice and comment requirements.

Hartnett said sanitary surveys are usually conducted by state regulators or “sanitarians” working within state environmental protection agencies who have no cybersecurity expertise.

Alan Roberson, executive director of the Association of State Drinking Water Administrators, said he wants to see a “blended approach” wherein the federal government assembles a cadre of up to 200 cybersecurity experts from agencies like the Department of Homeland Security to work with state inspectors and provide immediate assistance and support.

“These are people used to looking at plants and tanks, and now you’re going to have them digging into the internet, the ethernet,” Roberson said of state inspectors. “They’re not going to be able to make the appropriate assessments and determine if a mitigation plan is needed.”