Water and wastewater stakeholders propose consensus-based approach to protecting from cybersecurity risks

Representatives from five national water and wastewater stakeholders have sent a letter to the U.S. Environmental Protection Agency (EPA) expressing their opinion that a solution to securing cybersecurity for the water sector can be arrived at by consensus with and support from water utilities. Such a resolution would be far more effective to protect against cyber compromises, the letter said.

“The most effective approach is one that is risk- and performance-based, rather than top-down, one-size-fits-all. This would allow for tailored solutions based on each community’s unique set of risks, threats, and vulnerabilities,” the stakeholders wrote to the environmental protection agency. 

The joint letter added that such an approach would also allow for tailored solutions based on each community’s unique set of risks, threats, and vulnerabilities. The signatories to the letter were representatives from the American Water Works Association, Association of Metropolitan Water Agencies, National Association of Water Companies, National Rural Water Association, and Water Environment Federation. 

Having repeatedly raised concerns about the agency’s pursuit of issuing a direct final interpretive rule to add cybersecurity to the sanitary survey assessments, the parties said that “our concerns have not been addressed. Therefore, we feel compelled to express our opposition to the proposed approach,” according to the letter. “As you well know, water and wastewater systems are on the front lines of protecting public health and the environment and have exceptional track records doing so. Our members have many years of experience with both sanitary surveys and cybersecurity, and they believe the surveys will be ineffective at improving cybersecurity at water systems,” it added.

The concerns raised by the associations included that they do not believe an agency action to establish cybersecurity requirements through an interpretive rule is legally justifiable, as interpretive rules must not set new legal standards or impose new requirements. 

They also said that nothing in federal or state law protects information collected through sanitary surveys by state agencies from being shared with the public. “If, for instance, a state discloses that a utility has a particular vulnerability, the information would be very valuable to hackers looking for an easy target, opening the utility up to ransomware attacks or worse,” the letter said.

State primacy agency staff are not qualified to assess the cyber readiness of a water system, according to the associations. “We anticipate state staff could misunderstand either a best practice or a utility’s implementation of said best practice and thus report an unmerited significant deficiency. This could lead to misinformation in the media, reputational harm, and fines. Worse, state primacy agency staff could unintentionally direct a utility toward a practice that is in fact inappropriate for securing the utility and perhaps open the door to a hacker,” it added.

The associations also flagged that a state primacy agency gives a utility a clean bill of health. However, if the utility subsequently suffers a compromise, it could put both the state and the utility in legal jeopardy.

Each state agency may develop its procedures and recommendations for utilities, leading to a patchwork of regulations across the country. “Not only is this burdensome to water utilities that have subdivisions in multiple states, but it will complicate the development of guidance and training by the sector organizations, CISA, and even EPA. Related, many states could go farther than EPA intends in the agency’s guidance documents and turn the sanitary survey program into an entirely different regulatory regime,” according to the joint letter to the EPA.

The associations also said they are examining various options to effectively protect water systems from cyber threats. “We are eager and committed to a collaborative solution that is protective of public health and cyber infrastructure in water utilities, and we would like to work with your office to do so. However, we caution against measures that could fail to have a decisive impact on water sector cybersecurity and that lack input by water sector subject matter experts,” the joint letter added.

Cybersecurity in the water sector has been an issue for some time now. For instance, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the EPA, and the National Security Agency (NSA) provided in October details of ongoing cyber threats to the U.S. Water and Wastewater sector. 

The activity identified includes cyber intrusions leading to ransomware attacks, which threatens the ability of water and wastewater facilities to provide clean and potable water, and effectively manage the wastewater of their communities. These threats come from known and unknown hackers targeting the IT and operational technology (OT) networks, systems, and devices of U.S. water and wastewater sector facilities.

Last month, the Foundation for Defense of Democracies (FDD) said that poor cybersecurity makes the water sector a weak link in critical infrastructure, affecting health and human safety, national security, and economic stability. 

The research organization said that significant cybersecurity deficiencies were observed in the drinking water and wastewater sectors, resulting in part from structural challenges. These systems operate with limited budgets and even more limited cybersecurity personnel and expertise. Conducting effective federal oversight of and providing sufficient federal assistance to such a distributed network of utilities is inherently difficult.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.