Critical infrastructure
IT/OT Collaboration
News
Utilities: Energy & Power, Water, Waste

Research body says EPA ‘misses mark’ with proposed cybersecurity standard for water utilities

December 23, 2021
water utilities

The Foundation for Defense of Democracies (FDD) said this week that the proposed regulatory move on cybersecurity for water and wastewater utilities by the U.S. Environmental Protection Agency (EPA) misses the mark. 

The FDD’s remarks come in the wake of the agency’s pursuit of a new cybersecurity requirement without prior consultation and collaboration with the water sector. “While the EPA’s cybersecurity support for the water sector is sorely needed, the agency would greatly benefit from collaborating with water sector experts,” the Washington, DC-based research organization said in a policy brief

The FDD echoes its earlier call for a government-industry collaboration to establish cyber standards, accompanied by federal grants to help pay for the effort.

“One positive element of the EPA’s proposal is its recognition that cybersecurity applies to wastewater utilities as much as to drinking water utilities,” researchers Mark Montgomery and Trevor Logan, wrote in the FDD brief. “Our report called for amending the American Water Infrastructure Act of 2018 to include wastewater utilities alongside water utilities when conducting risk and resilience assessments, which include cybersecurity. However, while the EPA’s position is laudable, implementing it via a survey assessment would be problematic.”

Instead, the best way to implement this and other U.S. government efforts to improve the water sector’s cybersecurity is through industry-government collaboration aimed at establishing cybersecurity standards, and by funding grant programs to support those efforts, the FDD said. 

Earlier this month, representatives from five national water and wastewater stakeholders have sent a letter to the EPA expressing their opinion that a solution to securing cybersecurity for the water sector can be arrived at by consensus with and support from water utilities. Such a resolution would be far more effective to protect against cyber compromises, the letter said.

The U.S. has approximately 52,000 drinking water and 16,000 wastewater systems, most of which serve small- to medium-sized communities of fewer than 10,000 residents. 

The water associations’ letter itself pledges the sector’s commitment ‘to a collaborative solution’ and requests a conversation with the EPA, FDD said.

FDD has proposed that the path forward for the U.S. government and the critical water infrastructure sector should also include properly resourcing and organizing the EPA to support the sector’s cybersecurity, creating and funding assistance programs for water and wastewater utilities, similar to those for energy utilities, and providing support to water associations to expand training and technical assistance.

Likewise, Congress should create a joint industry-government cybersecurity oversight program for the water sector, FDD said. Lawmakers can apply lessons learned from other industry-led approaches to developing cybersecurity regulations, like those in the electricity subsector. Through collaborative efforts, the industry-government oversight program can provide a framework for the EPA to oversee the development and implementation of effective cybersecurity standards, while water and wastewater utilities can receive the federal support they need, it added.

A recent survey by the Water Sector Coordinating Council noted that the water sector is faced with shrinking budgets and increased cyber vulnerability due to greater automation of systems. In addition, water utilities need technical assistance and financial support, not an assessment by inspectors, who would likely be ill-prepared and whose inspections could vary greatly across 50 states.

In a separate and related development, the current U.S. administration is readying a proposal to shore up the cybersecurity of U.S. water supply, a system maintained by thousands of organizations with sometimes glaring vulnerabilities to hackers, according to a report earlier this month by The Wall Street Journal.

“The plan broadens a White House initiative to persuade key industrial companies to upgrade technology for detecting cyberattacks. U.S. officials hope water utilities will analyze and voluntarily report such data to help authorities monitor threats to different types of critical infrastructure,” it added.

Last month, the FDD also said in a report that the cybersecurity issues in the water sector have been brewing in the national infrastructure, which could affect health and human safety, national security, and economic stability. Significant cybersecurity deficiencies were observed in the drinking water and wastewater sectors result in part from structural challenges. These systems operate with limited budgets and even more limited cybersecurity personnel and expertise. Conducting effective federal oversight of, and providing sufficient federal assistance to, such a distributed network of utilities is inherently difficult.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns