The water industry wants to write its own cybersecurity rules. Will Biden and Congress get started?


When Iranian government agents hacked U.S. water utilities late last year, we were reminded of how vulnerable the water sector remains — and how efforts aimed at regulating its cybersecurity have been tortuous.

Amid growing tensions with foreign adversaries — particularly China, which has shown an eagerness to hack U.S. critical infrastructure for possible wartime sabotage — water industry officials and Cybersecurity experts say it’s vital to strengthen the digital defenses of this sprawling, cash-strapped, and overly large sector. neglected community. And now, following recommendations from the Environmental Protection Agency (EPA) failed effort To force states to inspect the cyber posture of water systems, the industry believes it has found a solution: treat water like electricity, with the industry itself writing rules based on state guidelines. EPA.

This plan appears to have at least some momentum in Congress. A Republican House lawmaker worked with water officials on a bill to create a water cybersecurity regulatory system modeled on the electric industry, according to a bill obtained by Recorded Future News. The bill, whose timeline for introduction remains uncertain, would allow the EPA to put an industry-led nonprofit group in charge of developing specific requirements for the EPA’s general cybersecurity standards. agency.

But many problems loom: Conservative lawmakers will likely be reluctant to give the EPA more power, it may take more than a decade to implement all the necessary safety measures, and small utilities will be left account without massive financial assistance.

Still, many people who follow the water sector’s cyber challenges say the industry’s plan has the best chance of success — and that the country cannot afford a prolonged search for alternatives.

“You have a significant risk environment,” said Mark Montgomery, senior director of the Center on Cybersecurity and Technology Innovation at the Foundation for Defense of Democracies. “The status quo is not acceptable.”

Flooded with risks

Of the 16 critical infrastructure sectors that support American life, water may be the most difficult to protect against cyberthreats.

It’s a massive industry, with more than 150,000 public water systems of varying sizes and technological sophistication, according to the Cybersecurity and Infrastructure Security Agency (CISA). And most of these utilities have very little money, because their funding depends on locally approved rates that voters are reluctant to raise. Every dollar spent on cybersecurity is a dollar not spent on pipes and process chemicals.

This financial pressure has accelerated another trend that makes the water sector difficult to protect: the widespread automation of plant operations using digital equipment, often connected to the Internet. Managing pumps and valves now requires far fewer employees, saving utilities money. But the decades-long shift to automation predates the start of hacks targeting the water sector, so most of these digital systems lack basic cyber protections.

Today, the water sector faces many threats, since ransomware criminal gangs has nation-state hacker teams. Criminals attack utility customer data, while government agents – like the Chinese hackers behind the Volt Typhoon campaign – look for ways to cut off water supplies in the event of a conflict. Many experts believe it’s only a matter of time before an intruder cripples the supply of clean, drinking water somewhere in the United States.

“If you lose water, you end up losing a lot of power generation,” Montgomery said. “You obviously lose public health and safety. And the army will be less effective and our economy less productive.”

The industry recognizes the need for oversight, but trade associations and their supporters say regulations must reflect the unique properties of the water sector, including its size and diversity, the fact that water systems are not interconnected like electric utilities are and the inability of the underfunded EPA. to serve as a traditional regulator.

Among policymakers, “there’s a recognition that something different is needed in the water sector,” said Kevin Morley, federal relations manager for the American Water Works Association.

The industry holds the pen

To create cyber regulation on its terms, the water industry is working with Rep. Rick Crawford (R-Ark.), who is developing a bill based on proposals that have circulated during the last years.

According to the draft text that Crawford’s office provided to Recorded Future News, the bill would empower the EPA to impose cybersecurity standards for the water sector and certify a “water risk and resilience nongovernmental organization.” Water” (WRRO) which would develop specific requirements. The EPA would then review the proposed text and either approve it without reservation or negotiate modifications.

Rep. Rick Crawford at a Congressional Steel Caucus meeting in June.  Image: Representative Rick Crawford
Rep. Rick Crawford at a Congressional Steel Caucus meeting in June. Image: Representative Rick Crawford

The WRRO, not the EPA, would directly oversee compliance through annual self-certifications and independent audits at least every five years. The organization could punish violators with fines of up to $25,000 per day.

The Crawford bill reflects the approach used in the electric sector, where the Federal Energy Regulatory Commission (FERC) issues general requirements and the industry-run North American Electric Reliability Corporation (NERC) develops the details.

The water industry says this approach would be better than traditional EPA regulations because it would ensure that the rules are shaped by the practical experiences of utility operators. “We think this is the fairest process,” Morley said.

Writing its own rules would help the industry achieve a top priority: standards that apply differently to facilities of different sizes. Large utilities have more complex and vulnerable IT systems than smaller utilities, some of which don’t even have any sensitive industrial equipment.

Cybersecurity experts who have worked with the power sector say this model would help ease tensions between the EPA and the water industry. “The fact that industry is getting involved hand in hand with government to co-develop these requirements is a very positive thing,” said Marty Edwards, deputy director of technology for OT and IoT at the industrial cybersecurity company Tenable.

Against the watch

The water sector project faces several significant challenges.

A major problem is the prevalence of industrial equipment that is too old to support required security upgrades. “For many of these utilities, it will be difficult to overlay the desired cybersecurity controls on top of these legacy technology implementations,” said Andrew Ohrt, resilience practice lead at water engineering consultancy West Yost Associates.

Utilities will have to spend valuable funds and employee time on lengthy and complicated planning processes to replace this equipment, Ohrt said.

Another complication is the need for a stronger and more cybersecurity-savvy EPA. At a time when Republicans almost unanimously oppose every move by the EPA, it is not certain that the House, controlled by the Republican Party, will hold a vote on a bill giving the agency a new regulatory power. And even Crawford’s proposal doesn’t give the EPA money to strengthen its capacity to support the water sector. (The bill would give the WRRO itself $10 million over the next two fiscal years.)

Then there’s the issue of time. It took NERC more than a decade to define its final set of critical infrastructure protection (CIP) requirements for electric utilities. “You don’t recreate the NERC CIP in a year,” said Robert M. Lee, chief executive of industrial cybersecurity firm Dragos. Ohrt said the process of decommissioning obsolete industrial equipment alone could take “10 to 15 years for many utilities.”

Morley believes the water industry could implement basic requirements much more quickly by adapting best practices from other sectors. But even basic rules for the most critical water facilities — like those that supply military bases and large cities — would take three to five years, Lee said.

Same chances of passage

For now, all eyes are on Congress as the water industry and cyber experts await Crawford’s bill. His spokeswoman, Sara Robertson, said there was no timetable for the bill’s introduction. Supporters are also awaiting a signal from the Biden administration, which has championed creative approaches to cybersecurity regulation for critical infrastructure, on whether it supports the sector’s nontraditional approach. The White House did not respond to a request for comment, while the EPA declined to comment.

“This is the only model that can probably be adopted,” Montgomery said. “And even then, I would say it’s as likely to pass as not.”

As foreign government hackers seek out vulnerable infrastructure, Edwards said it is “critically important” that lawmakers pass rules for the water sector. “We should have done this ten years ago,” he added.

Lee lamented the ease with which a group of relatively novice Iranian hackers were able to enter water services thanks to industrial devices which were still using the default password “1111.”

“Unsuspecting actors could put people’s lives at risk… (because of) things that we know exactly how to fix,” Lee said. “I find this unacceptable.”

Leave a comment