Protecting water from cyberattacks

The Environmental Protection Agency's effort to secure the country's water supply from cyberattacks faces giant hurdles.

The Environmental Protection Agency‘s effort to secure the country’s water supply from cyberattacks faces giant hurdles.

They include the water system’s low government funding and staffing levels. There is also a heavy reliance on legacy IT. The patchwork nature of the tens of thousands of local U.S. water authorities is also a problem.

Driving the news: The EPA submitted its initial plan for tackling water security to Congress last month. It lays out which systems it would slot for technical assistance during cyberattacks. The agency is expected to roll out new rules this fall. It would require state officials to include cybersecurity concerns in their existing water inspections. An official told E&E News.

Between the lines: The EPA faces different challenges than other agencies in writing cybersecurity rules for the utilities they regulate. That is because the U.S.’s water systems are widely distributed and isolated. The country has roughly 148,000 public water systems. Most water systems operate through state and local governments with their own budget constraints and priorities.

Those states and cities need the resources and motivation to prioritise water cybersecurity. It is the only way that any blanket EPA federal regulations will become effective, says Padraic O’Reilly, co-founder and chief product officer at critical infrastructure cyber firm CyberSaint Security. Bryan Ware, former assistant director of cyber at the Cybersecurity and Infrastructure Security Agency, said water system operators in small to medium-size towns have small IT teams. That makes it difficult to prioritise cyber protections.

Challenges around dealing with cyberattacks

Threat level: The distributed water system makes it nearly impossible for a malicious hacker to take down the entire U.S. supply in one fell swoop. Hackers can still wreak havoc on small to medium-sized towns’ water supplies. In February 2021, a hacker broke into the computer system running the water system serving 15,000 people in Oldsmar, Florida, and tampered with the amount of sodium hydroxide in the supply. Last month, a U.K. water supplier helping 1.6 million people said its offices were disrupted after a cyberattack.

The intrigue: The EPA faces its resource shortages. That hinders its ability to establish and enforce tough cybersecurity rules for water systems. At least one estimate suggests the agency spends $7 million on cybersecurity operations within the Office of Water. Experts say that’s nowhere near enough. The EPA has asked Congress for more in next year’s budget, including $25 million for a new grant program to build and improve water cybersecurity infrastructure.

Yes, but: The EPA can still get creative with its regulatory approach. In its August report to Congress, the agency plans to work with CISA to help water systems mitigate and recover from cyberattacks. Politico reported last month that the agency is eyeing rules similar to the TSA guidelines for pipelines, which are more flexible and allow operators to submit their plans for addressing common cybersecurity problems. Industry groups like the American Water Works Association have pushed the EPA to lean more on CISA’s free resources for critical infrastructure providers. That includes cyber hygiene scans. A spokesperson for the National Security Council said the White House and EPA are working with Congress on solutions to help better train and staff water security professionals.

What’s next: The EPA is still mulling what form of broad federal rules for water operators. Federal officials work to help low-resourced water operators make cybersecurity a higher priority. As Congress returns from summer recess and begins budget talks, funding the EPA’s cybersecurity efforts will be one item on the long agenda.

Related Articles:

Send this to a friend