Critical infrastructure across the country is under cyberattack from bad actors. Disruption and extortion via ransomware of high-impact systems are tempting targets — especially the increasingly digitized municipal water treatment and supply infrastructure.
The Environmental Protection Agency (EPA) has issued a mandate to water management organizations under the aegis of the National Cybersecurity Strategy (see ref 1).
The EPA released the mandate for the water sector in March (ref 2). The release came a day after The White House issued its National Cybersecurity Strategy. The mandate places obligations on organizations that manage public water systems (PWS) if they are using digital technologies such as industrial control systems (ICS) or other operational technology (OT) to monitor, manage or control any part of the equipment used for the treatment or supply of water.
Every PWS provider regulated by the EPA must comply with the new cybersecurity mandate. Doing so requires them to:
Along with the requirements outlined in the mandate, the EPA has provided advice and guidance on conducting cybersecurity reviews as part of the regular sanitary surveys and on implementing cybersecurity controls. A selection of resources is available for download (ref 2).
Everyone welcomes the purpose and objectives behind the mandate. Protecting PWS from attack should be a top priority. However, cybersecurity experts and many professional & trade associations representing the PWS sector have expressed concerns.
The primary concerns that both water industry insiders and external cybersecurity experts have with the mandate are as follows:
Lack of expertise - Inspectors doing sanitary surveys to assess and certify the hygiene of PWS infrastructure do not have the skills required to determine the security of ICS and other OT & IT equipment. The Association of State Drinking Water Administrators (ASDWA) issued a critical response to the mandate. It included this paragraph:
“Several significant concerns with this approach have not been fully addressed, such as the lack of subject matter expertise, lack of a standard to measure against, protection of sensitive information, potential liability for the states, the low frequency of sanitary surveys compared to rapidly evolving cybersecurity threats, and the state staff burden for assessing and monitoring systems’ cybersecurity activities.”
ASDWA also noted that the results of sanitary studies are subject to public record and that including cybersecurity findings in this record could expose vulnerabilities to bad actors. They are also concerned that investing time in training sanitary inspectors to take on the cyber security task could reduce their capacity to keep drinking water safe.
The time between sanitary surveys - ASDWA also had concerns with the proposed 3-5 year timelines that are normal for sanitary inspections. They, and many cybersecurity experts, have pointed out that 3-5 years is an eternity when considering the cybersecurity threat landscape.
Scalability to cover all PWS - The mandate allows PWS to use self-assessment or an approved external cybersecurity provider with DHS, EPA, or State-level approval to conduct surveys. This is a limited subset of providers within the broader cybersecurity sector, and given the volume of PWS providers across the country, limiting it to this subset will restrict access to experts authorized to inspect PWS systems. Mike Hamilton (CISO at Critical Insight) said:
“It’s a bit disheartening that the third-party assessment resources seem limited to DHS, EPA, and States, making this activity hard to scale across the breadth of water utilities across the country. Allowing for private-sector cybersecurity companies to perform assessments would accelerate the collection of information and the development of corrective action plans.”
Webinar: Cybersecurity Changes for Public Water Systems
You can watch Mike Hamilton, Bjorn Townsend (a Critical Insight Senior Consultant), Dan Ervin (Executive Vice President at Varius, Inc.), and Jake Milstein (CMO of Critical Insight) in a webinar discussing the recent Cybersecurity Changes For Public Water Systems via this June 2023 YouTube video recording.
Irrespective of the implementation details of the new mandate, it is in the interests of all water management organizations to bolster their cyber defenses. Given that compliance with the mandate can be delivered via self-assessment, any PWS provider can enlist the expertise of a suitable external cybersecurity team to advise them.
As Shayla Powell, a public affairs specialist at EPA, said in an emailed statement to the Cyberscoop website (ref 4):
“EPA interprets this regulation to require that when a PWS uses operational technology, such as an industrial control system (ICS), as part of the equipment or operation of any required element of a sanitary survey, then the sanitary survey of that PWS must include an evaluation of the adequacy of the cybersecurity of that operational technology for producing and distributing safe drinking water.”
Delivering cybersecurity services to protect critical infrastructure and IT systems in organizations such as PWS providers is why Critical Insight exists. We have decades of experience in our team across all critical infrastructure sectors, local government, state government, and private sector organizations.
We can provide cybersecurity services and assistance to any PWS provider across their whole operation. We can work with your IT and leadership teams to assess your readiness in light of the EPA mandate. Then, we can create a practical plan and improve your cybersecurity posture on a timescale that makes sense for your organization and available budget. Contact us via the form at the foot of this page.
PWS providers must prioritize cybersecurity and build robust systems to guard against attacks. The ramification of a successful attack will be devastating. Below are brief outlines of the potential impacts and threats.
A successful cyberattack against a PWS provider can have significant ramifications:
Disruption of Water Supply - Attackers can disrupt water distribution, affecting essential services like clean drinking water and firefighting capabilities.
Health and Safety Risks - Attacks could result in contaminated or manipulated water that harms people’s health.
Loss of Confidence - A cyberattack on a water provider can harm public trust in the water supply systems and government institutions.
Economic Impact - A cyberattack can cause economic disruption in the areas covered by the PWS. Businesses could experience financial losses and potential closures due to a lack of clean water. This could lead to lawsuits against the PWS provider. Additionally, repairing and securing compromised infrastructure will be costly and time-consuming for the PWS team.
Legal and Regulatory Consequences - A cyberattack on a water provider can result in EPA legal action and investigations to determine if proper cybersecurity measures were in place.
What are the threats that PWS providers face that the EPA mandate is attempting to address:
Increasing Digitization - Digitization of water and waste systems has led to new vulnerabilities that attackers can exploit, risking disruption of PWS operations.
Malware Attacks - Malware refers to software designed to harm a computer system. Malicious programs can steal data, cause disruptions, or even damage hardware. PWS IT systems in remote locations may be especially susceptible to malware attacks as they are often several years old and may not get security updates frequently, even if updates are still available.
Ransomware Attacks - Ransomware encrypts IT systems and renders them unusable. In a PWS provider, these attacks can cause service shutdowns if PCs controlling key processes are not operating.
Distributed Denial-of-Service (DDoS) - Attackers use DDoS to flood target computer systems with traffic, rendering them unusable for the duration of the attack. PWS providers targeted by DDoS attacks may have to shut down operations until the attack is over or mitigated.
Insider Threats - Cybersecurity threats don’t always come from external bad actors. Insiders, like employees or contractors with access to PWS systems, can also pose a threat. These insiders can be intentional in their actions, like stealing data or sabotaging systems, or unintentional, like clicking on a malicious link or opening an infected attachment that introduces ransomware. Cybersecurity needs to address both internal and external threats. Cybersecurity awareness training is a sensible use for some of the available cybersecurity budget to reduce the insider threat from accidental mistakes.
To summarize, it is crucial for water and waste system companies to prioritize cybersecurity measures and targeted spending. Even without the EPA mandate, this would be true. Doing so will ensure the protection of their critical infrastructure, compliance with existing (and new) regulations, the safety of the public water supply, and the reduction of financial and reputational risks that come with cyber incidents. Critical Insight can ensure your budget gets used on what you need today and over time.