The EPA says it will enforce cybersecurity standards on water systems

The modern-day water wars are already here, and the feds want utilities to prepare. This month, the US Environmental Protection Agency (EPA) announced new rules that will require state governments to audit public water utilities for cybersecurity procedures and preparedness—and will allow regulators to force them to improve their security.

While the EPA’s new guidance is intended for immediate implementation, the agency is accepting public comment until May 31, 2023. An extensive checklist the EPA has distributed states that “potential significant deficiencies” can include everything from use of default or insecure passwords in operational technology, to inadequate vulnerability mitigation, to a lack of a named cybersecurity chief, separately stored backups, or incident response plan.

While federal officials have long fretted about the state of cybersecurity for the nation’s critical infrastructure, water supplies have been a point of particular concern, given that an attack could have immediate and widespread physical consequences on public water systems (PWS). In 2021, hackers allegedly deleted programs controlling water treatment at a San Francisco Bay Area plant, while another incident that year in Florida saw a threat actor attempt to pump dangerous amounts of sodium hydroxide (also known as lye) into a municipal water system.

In 2021, the Water Sector Coordinating Council conducted a survey of the US water and wastewater sector, finding nearly 60% of respondents reported conducting cybersecurity risk assessments less than once a year or never, or otherwise had no idea when they were. Top challenges for the sector included minimizing control system exposure, risk assessment, vulnerability detection, identifying threats and best practices, and incident/emergency planning.

Over 42% of respondents said their utility had no cybersecurity component to their risk management plan.

“These PWS are at high risk of being victimized by a cyberattack—whether from an individual, criminal collective, or a sophisticated state or state-sponsored actor,” Shayla R. Powell, a public affairs specialist at the EPA, told IT Brew via email. “The purpose of the EPA Checklist, which reflects DHS’s cross-sector Cybersecurity Performance Goals, is to promote the use of practices, such as strong passwords and multi-factor authentication, that reduce the risk of a cyberattack compromising clean and safe drinking water.”

Powell added the EPA had offered “nationwide, comprehensive training and technical assistance” to utilities on how to best comply with the new guidelines, saying the agency had conducted separate training sessions for both state officials and utility operators. She added the EPA’s other offerings include consultations with technical experts on assessing cybersecurity practices and closing security gaps.

“Further, EPA is prepared to conduct cybersecurity assessments at water systems if requested by the state,” Powell wrote.

According to CyberScoop, the new rules have spurred some pushback from both water utilities—a coalition of water operator groups signed a letter in January calling the new rules “ill-advised, impractical” and outside the agency’s authority—and some experts who question whether site surveyors have the right skill-sets to conduct the assessments. The American Water Works Association, for example, would prefer industry to set its own mandatory standards with EPA involvement reduced to an oversight role.

“Many of the water clients we work with have contracting firms that do basic IT services for them split across multiple companies because it’s the only way they can afford it,” Rob Lee, CEO of industrial cybersecurity firm Dragos, told CyberScoop. “There is not the skill-sets to go audit these [utilities] and there’s not a large set of cybersecurity skill-sets in general, let alone in every single state [sanitation department]. I think it’d be impossible to pull this off.”—TM