By Jay Landers
The U.S. Environmental Protection Agency is moving forward with plans to require drinking water utilities to incorporate cybersecurity audits as part of the routine supervisory process conducted by states. This requirement comes amid increasing federal interest regarding the issue of cybersecurity and infrastructure.
Despite this, the agency’s plans have generated opposition from several organizations representing water providers and the states themselves. Meanwhile, alternative approaches to ensure the protection of the water sector against cyber threats have come forth from inside and outside the industry.
A vulnerable sector
Poor Cybersecurity Makes Water a Weak Link in Critical Infrastructure, a Nov. 18 report from the Foundation for Defense of Democracies, a Washington, D.C., think tank, paints a bleak picture of the state of cybersecurity within the water sector.
“America’s critical infrastructure is only as strong as its weakest link, and in the United States, water infrastructure may be the greatest vulnerability,” states the FDD report.
Factors contributing to the sector’s vulnerability, according to the report, include the high number of small drinking water and wastewater systems across the country and the sector’s increasing reliance on automation, which gives hackers potential access to the systems via the computer networks and other technology they use.
However, the FDD’s report notes that the federal government “bears responsibility for the fragility of the sector’s cybersecurity posture.” In particular, the EPA is “not resourced or organized to assess and support the water sector consistent with the scope and scale of the critical infrastructure challenges the sector faces,” the report notes.
Unfortunately, water and wastewater systems in the United States have experienced cyberattacks. In fact, an Oct. 14 Joint Cybersecurity Advisory titled Ongoing Cyber Threats to U.S. Water and Wastewater Systems issued by the FBI, the Cybersecurity and Infrastructure Security Agency, the EPA, and the National Security Agency, highlights several cyber intrusions that have occurred in recent years at domestic water and wastewater facilities.
Most of the examples involve attacks in which cyber actors gain access to a facility’s information technology networks and install ransomware, a type of malware that encrypts the victim’s information to hold it for ransom.
In August, for example, “malicious cyber actors” used a variant of the type of ransomware known as Ghost against a facility in California, according to the advisory. “The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message,” notes the advisory, which does not identify any facilities by name.
In July, hackers also “used remote access to introduce ZuCaNo ransomware” onto the SCADA computer at a wastewater facility in Maine, according to the advisory. “The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds,” the advisory notes. Similarly, the “SCADA system and backup systems” at a Nevada facility were hit by ransomware in March, and in September 2020 staff at a New Jersey facility “discovered potential Makop ransomware had compromised files within their system,” the advisory states.
Not all cyberattacks against water or wastewater systems are done for financial gain. For example, in March 2019, a former employee of a Kansas drinking water facility “unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer,” according to the advisory. More dramatically, in February of this year, someone remotely accessed the computer system at a drinking water facility in Oldsmar, Florida, and attempted to increase the concentration of sodium hydroxide in the drinking water to dangerous levels.
Sanitary surveys and cybersecurity
As the lead federal agency responsible for cybersecurity in the water sector, the EPA has been indicating for much of this year that it intends to incorporate cyber audits as part of routine drinking water sanitary surveys. Conducted every three or five years, depending on the drinking water system, a sanitary survey entails a review of a drinking water system by a state, territory, tribe, or the EPA itself. Intended to assess a system’s capability to provide safe drinking water, such reviews examine eight areas: source water, treatment, distribution system, finished water storage, pumps, monitoring and reporting, management and operation, and operator compliance.
As part of fiscal year 2022 budget justification documents submitted to Congress in May, the EPA stated its intention to “work with each state, territory, and tribe to develop and train a cadre of technical assistance providers who can work directly with individual water systems to assess and enhance their cybersecurity practices.”
As part of this effort, the agency “also would seek to train individuals on how to integrate cyber training into their sanitary survey assessments,” according to the EPA’s budget justification documents.
More recently, the EPA spelled out in slightly more detail its plans for incorporating cybersecurity evaluations as part of sanitary surveys. On Dec. 10, President Joe Biden’s administration published its Fall 2021 Unified Agenda of Regulatory and Deregulatory Actions. As part of this document, the EPA indicated that it plans to issue a final rule in April 2022 stipulating that sanitary surveys “should include an evaluation of cybersecurity to identify significant deficiencies.” Such a rule is “necessary to convey to states that EPA interprets existing regulations for public water system sanitary surveys as including the possible identification of significant deficiencies in cybersecurity practices,” according to the Unified Agenda.
Opposition to the plan
As it happens, the Unified Agenda was released one day after five water-related associations expressed their opposition to the EPA’s plans for including cybersecurity as part of drinking water sanitary surveys. On Dec. 9, representatives of the American Water Works Association, the Association of Metropolitan Water Agencies, the National Association of Water Companies, the National Rural Water Association, and the Water Environment Federation voiced their disapproval in a letter to Radhika Fox, the EPA’s assistant administrator for water.
“Our members have many years of experience with both sanitary surveys and cybersecurity, and they believe the surveys will be ineffective at improving cybersecurity at water systems,” said the letter. “We believe a solution to securing cybersecurity for the water sector that is arrived at by consensus with and support from water utilities will be far more effective to protect against cyber compromises.”
The organizations cite several concerns about the EPA’s plans, including the fact that “nothing in federal or state law protects information collected through sanitary surveys by state agencies from being shared with the public,” according to the letter. The groups also warn that, in the event a utility receives a “clean bill of health” from a state primacy agency only to suffer a cyberattack afterward, “both the state and the utility could be put in legal jeopardy.”
The five organizations were not the first to put their concerns about the EPA’s plans in writing. In a Sept. 29 letter to Fox, the Association of State Drinking Water Administrators stated: “While we appreciate the need to improve cybersecurity in a timely manner, adding cybersecurity to sanitary surveys will not achieve the desired outcome for several reasons.”
Among its concerns cited in its letter, the ASDWA, which represents the very state programs that conduct the sanitary surveys, flatly stated that “sanitary survey inspectors do not have the technical skills and knowledge to assess the adequacy of cybersecurity or make recommendations to resolve cybersecurity deficiencies.”
Other EPA efforts
As for cybersecurity requirements for wastewater utilities, the EPA is “in the early stages of determining how cybersecurity can be incorporated into” National Pollutant Discharge Elimination System permits, says Cynthia Finley, Ph.D., the director of regulatory affairs for the National Association of Clean Water Agencies. “Based on our conversations with EPA, they are trying to find a way to ensure that wastewater utilities have evaluated their cybersecurity and considered measures they can take to keep their systems secure from cyberattacks,” Finley says.
The EPA did not respond to an inquiry from Civil Engineering regarding possible cybersecurity requirements for wastewater agencies.
Separately, the Biden administration has prepared a draft plan under which water utilities would voluntarily report data regarding cyberattacks to the federal government, according to a Dec. 3 Wall Street Journal article. Under the plan, the EPA and CISA would help utilities detect such attacks, according to the article. (The EPA did not respond to a request from Civil Engineering for details regarding the draft proposal, which has been shared with various water-sector trade groups.)
To improve the cybersecurity of water infrastructure, the FDD calls in its report for increased cooperation between the federal government and the water sector. Among its suggestions, the FDD recommends that Congress substantially boost funding for cybersecurity programs within the EPA Office of Water. The FDD also calls on the EPA to ensure that more funding from the Drinking Water and Clean Water state revolving funds go toward cybersecurity projects.
In other recommendations, the FDD suggests that Congress direct CISA — the main federal entity charged with the task of protecting U.S. infrastructure from cyber and physical threats — to increase support for the EPA and the water sector. The FDD also calls for the creation of a “joint industry–government cybersecurity oversight program” that would develop cybersecurity standards for the water sector, according to the report.
A similar sort of plan was recently put forth by the AWWA. In August, the association released a report, titled Strengthening the Cyber Resilience of America’s Water Systems: Industry-Led Regulatory Options, proposing the creation of a new entity to be known as the Water Risk & Resilience Organization. To be led by the water sector, this entity would “manage the development of mandatory cybersecurity standards and oversee compliance with them,” the report states. In this way, the water sector “would manage the standards development process and associated implementation, and thereby capitalize on the sector’s expertise of water utility operations and governance,” according to the report. At the same time, the EPA would provide oversight, while CISA and the Department of Energy would provide technical support.