In May 2021, the Department of Homeland Security warned that
“high profile cyber-attacks against water and wastewater systems sector networks will increase as criminal, nation-state, and terrorist cyber actors seek to exploit enduring vulnerabilities to achieve financial, geopolitical, or ideological objectives.”
It was not an idle concern. Over the last three years:
- Hackers in Oldsmar, Florida, attempted to raise the level of sodium hydroxide (caustic soda or lye) in the water from 100 parts per million (ppm) to 11,100 ppm, a level that can cause difficulty swallowing, nausea/vomiting, abdominal pain, and damage to the gastrointestinal tract. Thankfully, an alert employee noticed his computer cursor moving on its own, reset the sodium hydroxide levels, and alerted his supervisor before any damage was done.
- In the San Francisco Bay area, a hacker, using the username and password for a TeamView account (a popular program that lets users control their computers remotely) of a former employee, deleted programs that the water plant used to treat drinking water. Because the hack was discovered and corrected quickly, no failures were reported from this incident.
- In Israel, hackers, perhaps from Iran, attempted, but failed, to raise the chlorine levels in five national water supply facilities. If successful, this could have resulted in significant health issues across the country and severe harm to the agriculture industry (because water supply facilities also control agriculture pumps).
The Challenge of Cybersecurity
The EPA provides support and technical assistance to secure the nation’s 52,000 water and 16,000 wastewater systems. But under the Safe Drinking Water Act, the states, not the Federal government, are primarily responsible for ensuring the safety and security of the water systems within their borders.
In the US, resources and capabilities vary. There are a multitude of systems, many of which are quite small with limited budgets and a growing number of water systems run by private companies. The plants serving large populations often have dedicated cybersecurity staff. In contrast, those serving small communities often have one or two people running the entire water systems, with no staff trained in cybersecurity.
There are two distinctly different regulatory approaches.
The EPA’s Approach
The Safe Drinking Water Act was written before the Internet, let alone cyber threats. The Act does not give the EPA direct authority to issue cyber regulations. But they have a workaround, the existing requirement that public water systems periodically conduct sanitary surveys – on-site reviews “evaluating the facilities, equipment, operation, and maintenance for producing and distributing safe drinking water.”
Traditionally, the intent of the sanitary survey was to identify unsanitary conditions and ensure that the water system operates in a manner that provides safe drinking water from the source to the tap. [1] The EPA has responded to cybersecurity in public water systems by issuing a memorandum in March
“ the EPA interprets the regulatory requirements relating to the conduct of sanitary surveys to require that when a PWS [Public Water Authority] uses operational technology, such as an industrial control system (ICS), as part of the equipment or operation of any required component of a sanitary survey, then the sanitary survey of that PWS must include an evaluation of the adequacy of the cybersecurity of that operational technology for producing and distributing safe drinking water.”
The attorney generals of Arkansas, Iowa, and Missouri sued the EPA last month, stating the cybersecurity memorandum changes how they conduct sanitary surveys and imposes increased technology and costs on small and rural water systems. They claim the EPA
- Illegally sidestepped the requirements of the Administrative Procedure Act, including public comment and review.
- Intruded on the sovereignty of the states by threatening to pull millions in funding and take over enforcement authority if the States did not comply with the requirements.
- Imposed an “unfunded mandate” involving significant costs, including additional staff hours and resources to complete the expanded sanitary surveys, without additional funding.
The American Water Works Association’s (AWWA) Approach
The AWWA, the largest association representing water utilities in the US, released a report in 2021 concluding that a co-regulatory approach, building on the Water Infrastructure Act of 2018, was the best option. The Act requires community water systems serving more than 3,300 people to develop risk and resilience assessments and emergency response plans. These plans must account for risks to “electronic, computer, or other automated systems (including the security of such systems) which are utilized by the system.”
The AWWA recommended that a new entity, the Water Risk and Resilience Organization (WRRO), be created to serve and represent the perspectives of water utilities. Congress would explicitly approve the creation of the WRRO and the extension of cybersecurity oversight to the EPA. In collaboration with the EPA, this organization would draft cybersecurity standards, which the EPA would either approve or reject. If the EPA rejects a standard, they would provide specific recommendations for resubmission. The WRRO and EPA would share responsibilities for compliance auditing and enforcement.
AWWA’s suggested approach would answer one of the major concerns of the congressionally mandated Cyberspace Solarium Commission, the “insufficient coordination between EPA and other stakeholders in water utilities’ security.”
Managing cybersecurity is unlikely to succeed through regulatory fiat. Cybersecurity requires a partnership mindset and approach. The AWWA approach seems to be a reasonable start to addressing cybersecurity threats to our water systems.
[1] The eight components of a sanitary survey are raw water source; treatment; distribution; finished water storage; pumps; monitoring and reporting; management and operation; and operator compliance.
Source: A Republican-Led Lawsuit Threatens Critical US Cyber Protections Wired