Recent cyberattacks on U.S. water and wastewater systems and other critical infrastructure have pushed the American Water Works Association (AWWA) to commission a report that examines approaches for increased cybersecurity oversight and accountability. The rise in domestic and foreign cyber threats and attacks has led to the need for establishing a stronger regulatory framework that supports the cyber resilience for the water sector.
The AWWA had commissioned a report from Dr. Paul Stockton, a cybersecurity expert who previously served as Assistant Secretary of Defense for Homeland Defense and Americas’ Security Affairs. Stockton’s report proposes options to establish a new sector-led organization to manage the development of mandatory cybersecurity standards and oversee compliance with them. The approach would have federal oversight that is focused on defining requirements for standards and approval of their use for implementation, similar to what exists within the energy sector.
In his report, Stockton said that the most effective and efficient way to develop mandatory standards is to build on the foundation established by existing guidelines. For water systems, that foundation includes the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and section 2013 of America’s Water Infrastructure Act of 2018 (AWIA).
The study leveraged the Bulk Power System (BPS) used in electricity generation, transmission, and control systems. In the BPS, electric utilities and an industry organization, the North American Electric Reliability Corporation (NERC), work to develop standards that are vetted and then either approved or, on rare occasions, rejected by the Federal Electricity Regulatory Commission (FERC). FERC serves the federal oversight function, while NERC develops and assesses compliance with approved standards.
“The proven value of this approach: if the sector helps draft the standards that they know will be enforced against them, they will be supportive of the enforcement system that ‘holds the stick’ over them to create accountability,” Stockton said in his report. “Put a different way: because they are in on the takeoff, they are in on the landing. This approach is also structured to encourage a high degree of shared action to support systems with compliance challenges. No equivalents to NERC or FERC exist in the watersector.”
Stockton’s paper examines options to provide similar oversight functions to support cybersecurity risk management in the water sector. One of its proposals is for the establishment of a Water Risk & Resilience Organization (WRRO) that will lead the development of mandatory standards, with strong participation by water sector representatives.
Several water sector associations already provide valuable support to their members on cybersecurity issues. Rather than select one to lead standards development and compliance, the WRRO will serve and represent the perspectives of utilities across the sector. Existing associations and their members are best positioned to reach a consensus on how the WRRO should be governed and resourced.
Stockton’s report said that the approach would require legislative action to authorize the oversight function and define the scope of coverage for mandatory water utility participation in implementing minimum standards of practice developed by the WRRO. The standards developed and selected must be scalable and risk-based given the differences in utility operations across all size categories. Resourcing this new approach will be critical to successfully supporting the cyber needs of the water sector.
The initial establishment of the WRRO could reasonably be supported through a Congressional appropriation directly or through USEPA’s budget, the report said. Long-term, the WRRO would need to select a sustainable funding approach, such as a fee system that is based on the number of customers served to equitably support the development of performance standards and compliance assessments, it added.
According to the report, mandatory standards can establish a much-needed ‘floor’ for cyber resilience. Properly designed, mandatory standards can also give utilities considerable flexibility in deciding how to meet performance goals and other requirements. Enforcement mechanisms tailored to meet water system needs can also help ensure that across the nation, water utilities are bolstering their security in ways that the sector itself, in collaboration with the US Environmental Protection Agency (USEPA), has determined are most vital.
The USEPA would be the principal federal oversight agency with technical support provided by the Cybersecurity and Infrastructure Security Agency (CISA) and Department of Energy (DOE) given existing cybersecurity expertise. However, the water sector would manage the standards development process and associated implementation, and capitalize on the sector’s expertise in water utility operations and governance.
Cybercriminals pose an immediate and growing threat to infrastructure operators. But threats to drinking water and wastewater systems also need to be placed in a broader geopolitical context. In February, unidentified cyber attackers were able to gain access to a panel that controls the water treatment plant at the city of Oldsmar near Tampa, Florida. A modification in the setting would have drastically increased the amount of sodium hydroxide in the water supply, which could have led to poisoning the water supply to the city.
Subsequently, in May, the Metropolitan Water District of Southern California was allegedly hacked by supposedly Chinese-backed hackers using security vulnerabilities in the Pulse Connect Secure appliances, which was first brought to the public’s attention in April by the CISA. The Department of Homeland Security’s intelligence office issued a call to arms to the water and wastewater sector, warning that “high profile cyber-attacks against water and wastewater systems (WWS) sector networks will increase as criminal, nation-state, and terrorist cyber actors seek to exploit enduring vulnerabilities to achieve financial, geopolitical, or ideological objectives.”
“AWWA recognizes that actions necessary to mitigate cyber risks to drinking water and wastewater systems require a collaborative partnership between owner/operators and federal, state and local partners,” Pat Kerr, chair of AWWA’s Water Utility Council, said in a media statement. “Because the sector collectively deals with a complex set of information systems and hardware that operates around-the-clock to ensure public health and safety, there is an opportunity and need to improve cybersecurity across the sector,” Kerr added. “Taking no action is not acceptable.”
The industry also shares similar views on enhancing the cyber resilience of America’s water and wastewater systems. Rockwell said that an installed base evaluation (IBE) will help inform the development of the cybersecurity plan, though the plan must address certain objectives.
“First, it should be aligned with security standards and regulations, such as the NIST security framework, ISA/IEC 62443 and ISA84/IEC TC65,” Janine Nielsen, Rockwell Automation’s business development manager for the water/wastewater industry, wrote in a company blog post. “Your plan should also use a defense-in-depth security approach. This involves using multiple layers of protection to mitigate threats,” she added.