By Jay Landers
The U.S. Environmental Protection Agency in early March released its plan to require states to evaluate the cybersecurity of drinking water providers. This followed more than a year of entrenched opposition from much of the drinking water community. The evaluations will be conducted as part of the state-run inspection process known as the sanitary survey and are intended to address what the EPA maintains are serious deficiencies in cybersecurity across the drinking water sector.
Meanwhile, legislation recently introduced in Congress would promote improved security practices among drinking water providers, in part by helping them join an existing nonprofit organization dedicated to addressing security threats faced by water and wastewater utilities.
New threats require a new approach
On March 3, the EPA’s Office of Water released a memo to state drinking water administrators directing them to assess cybersecurity during sanitary surveys. Conducted every three to five years, depending on the water provider, these surveys are performed by states, territories, tribes, or, in certain cases, the EPA itself.
A survey consists of “an onsite review of the water source, facilities, equipment, operation and maintenance of a public water system” to assess its adequacy in producing and distributing safe drinking water, according to Section 141.2 of the Code of Federal Regulations.
During a March 2 call with news media, Radhika Fox, the EPA’s assistant administrator for water, justified the inclusion of cybersecurity assessment in sanitary surveys by noting past incidents as well as the failure of many water systems to take adequate steps to protect themselves from cyberthreats.
“When we think about cybersecurity and cyberthreats in the water sector, this is not a hypothetical,” Fox said. “This is happening right now. We have seen these types of attacks from California to Florida, Kansas, Maine, and Nevada. What we also know is that while some water systems really have incorporated cybersecurity best practices, many don't even have basic cybersecurity practices in place.”
New threats require a new approach to address them, Fox said. “Historically, sanitary surveys have been utilized to protect water utilities from physical vulnerabilities,” she said. Now, cybersecurity is also considered essential to being able to deliver clean, safe water.
In its March 3 memo, the EPA states that it now interprets the sanitary survey regulatory requirements to cover the cybersecurity adequacy of operational technology, such as industrial control systems.
Given the widespread use by community drinking water systems of such operational technology as supervisory control and data acquisition systems, all but the smallest of U.S. water systems likely will be subject to cybersecurity evaluations as part of sanitary surveys, says Dan Hartnett, the chief advocacy officer for the Association of Metropolitan Water Agencies.
In the event that a state identifies a “significant” cybersecurity deficiency during a sanitary survey, the state must require the public water system to fix the issue, according to the March 3 memo. These significant deficiencies include “the absence of a practice or control, or the presence of a vulnerability, that has a high risk of being exploited, either directly or indirectly, to compromise an operational technology used in the treatment or distribution of drinking water,” the memo states.
Options, guidance for states
In its memo, the EPA notes that states have three ways to include cybersecurity in sanitary surveys. One option simply involves a state evaluating cybersecurity practices directly during a sanitary survey.
Another option involves self-assessment or third-party assessment of a water system’s cybersecurity practices. The results of such an assessment would be made available to the state before a system’s sanitary survey is conducted. During the survey, the state surveyor “should confirm completion of the assessment and determine whether identified cybersecurity gaps are significant deficiencies,” according to the memo.
The third option is available to states that have or create alternative state agency programs for assessing cybersecurity vulnerabilities separately from the state agency that handles sanitary surveys. For example, if a state emergency management agency or homeland security agency has a cybersecurity program that includes assessments of drinking water infrastructure, then such programs may be used, the memo states.
In tandem with the March 3 release of the memo, the EPA issued a guidance document titled Evaluating Cybersecurity During Public Water System Sanitary Surveys. The guidance includes an “optional” checklist of practices that could be used to assess the cybersecurity of a drinking water system, identify gaps and potential significant deficiencies, and select appropriate remediation actions. Comprising 37 questions, the checklist covers such topics as account security, device security, data security, governance and training, vulnerability management, supply chain and third-party risks, and response and recovery procedures.
Although the guidance is “designed to be used right away,” the EPA is requesting public comment on the document until May 31, according to a March 3 news release issued by the agency.
Although the March 3 memo took effect immediately, it was not subject to a notice and review process. As a result, water providers and the states find themselves in something of an awkward position, says Kevin Morley, Ph.D, the manager of federal relations for the American Water Works Association.
“There’s usually an implementation period” during which the various stakeholders can learn the “new rules of the road” and “have time to make appropriate adjustments,” he notes. “That didn’t happen here.”
In the wake of the EPA’s release of its March 3 memo and accompanying guidance, some water-related organizations criticized the agency for failing to adequately listen to and address their concerns about incorporating cybersecurity reviews as part of sanitary surveys.
“It's taken the water sector a little bit by surprise that we didn't have more of an opportunity to be at the table as this policy was being developed,” Hartnett says.
The water sector has not been shy about voicing its objections to the EPA’s plan while it was under development. In late 2021, multiple trade groups wrote the agency to note their concerns about requiring state inspectors to assess cybersecurity (see “EPA, trade groups differ on how to improve water sector cybersecurity,” Civil Engineering Online, Dec. 22, 2021).
The Association of State Drinking Water Administrators, whose members are responsible for conducting sanitary surveys, also has opposed the EPA’s plan, but to no avail. “We've written three letters to the (President Joe Biden) administration expressing our concerns,” says Alan Roberson, the executive director of the ASDWA. But those concerns have not been addressed, Roberson says.
In particular, the ASDWA maintains that sanitary survey inspectors are not the appropriate personnel for assessing cybersecurity.
“The people that do these inspections are not cyber experts,” Roberson says. “It's just not their thing. They look at tanks. They look at monitoring data.” Another complication, Roberson says, is the absence of an adequate guideline for evaluating cybersecurity. “There are no performance standards,” he notes.
From the ASDWA’s point of view, Roberson says, it would make more sense for water systems to assess their cybersecurity as part of the system risk and resilience assessments that they must do at least every five years in keeping with the requirements of America’s Water Infrastructure Act of 2018.
“That was the approach that we think is the best way to go,” he says.
In a Jan. 25 letter to the EPA administrator Michael Regan, nine associations — the AWWA, AMWA, the National Association of Clean Water Agencies, the National Association of Counties, the National Association of Water Companies, the National League of Cities, the National Rural Water Association, the United States Conference of Mayors, and the Water Environment Federation — asserted that the agency’s plans for including cybersecurity as part of sanitary surveys were “ill-advised, impractical, and are not designed to meaningfully improve system resiliency.”
A chief concern among states and water agencies has to do with the possibility that sensitive information about cybersecurity vulnerabilities found during sanitary surveys could be made public.
If a state determines that a water system has a significant deficiency that leads to a violation of the Safe Drinking Water Act, “all that is public information,” Hartnett says. If such data about cybersecurity weaknesses is released publicly, “any hacker who has an interest in going after water systems through cyberattacks” will have “basically a road map of systems that states have found to be lacking in that area,” he says.
Federal support for WaterISAC
Early March also saw the introduction in Congress of legislation known as the Water System Threat Preparedness and Resilience Act. Introduced in the Senate by Sen. Ed Markey, D-Mass., and in the House by Rep. Jan Schakowsky, D-Ill., the legislation would provide federal funding for drinking water and wastewater agencies to join the Water Information Sharing and Analysis Center, commonly known as WaterISAC.
Created in 2002 by multiple water sector groups, the nonprofit WaterISAC collects, analyzes, and distributes threat information, including cyberthreats, to its member agencies.
Although about half of the larger U.S. water utilities have joined the organization, “less than one-tenth of one percent of smaller utilities are WaterISAC members,” according to a March 6 news release from Markey’s office. The Water System Threat Preparedness and Resilience Act “would help correct this shortcoming by directing the (EPA) to create a new grant program that would help cover the dues in WaterISAC,” Markey said, according to the release.
To this end, the bill would authorize $10 million for fiscal years 2024 and 2025. The funding also could be used “to enhance the tools, resources, and materials” of the WaterISAC, according to the legislation. The bill has been endorsed by the AWWA, AMWA, NACWA, NAWC, and WEF.
This article first appeared in Civil Engineering Online.