The Trend Toward Heightened Cybersecurity for the Water Utility Sector
With high-profile cybersecurity attacks in 2021 such as those at Colonial Pipeline and JBS Foods, there is no doubt that cybersecurity is of utmost importance to our nation, and cybersecurity for our water sector is no exception. The potential ramifications of a cyber attack on the water industry are disconcerting—in one 2021 attack, hackers accessed system software that allowed them to adjust the level of a water treatment chemical in the water treatment process. Through the Biden-Harris Administration’s recent announcement that it will extend the Industrial Control Systems (ICS) Cybersecurity Initiative (Initiative) to the water sector through the Water and Wastewater Sector Action Plan (Action Plan), the Administration recognized an ongoing commitment to evaluating and improving this sector’s cybersecurity.
Under the Action Plan, which was developed pursuant to the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, the US EPA, in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and the Water Sector Coordinating Council (WSCC), will lead a task force of water sector leaders to focus on promoting and supporting strategies for detecting cyber threats early on and sharing cyber-threat data rapidly to expedite analysis and action. More specifically, the Action Plan will implement a pilot program to deploy systems and technologies that monitor control systems, detect malicious activity, and facilitate response actions to ensure safe operations.
The Initiative and Action Plan are voluntary and minimal other federal requirements for industry cyber resilience exist at this time. The only Congressionally required cybersecurity efforts for the water sector arise out of America’s Water Infrastructure Act of 2018 (AWIA), which only covers the drinking water sector. The AWIA requires community water systems serving more than 3,300 people to develop and update risk assessments and emergency response plans. Under the AWIA, water systems submit a certification of compliance, but there is no other agency review of the adequacy of a system’s cybersecurity practices. The lack of uniform cyber resilience requirements, combined with the voluntary nature of the Administration’s current drive to heighten cybersecurity, underscore the importance of the water industry taking initiative to address cybersecurity preparedness in anticipation of cybersecurity threats.
The most recent administrative focus on cybersecurity indicates that governing authorities are looking for additional means to bolster cybersecurity in the water sector. The US EPA has already discussed new measures such as including cybersecurity as a topic in sanitary surveys that drinking water utilities already must conduct every three to five years and adding a cybersecurity component to National Pollutant Discharge Elimination System (NPDES) permits. The water sector can certainly anticipate future US EPA efforts on this topic and likely additional federal and state legislation as well. Consequently, water utilities should capitalize on early voluntary initiatives such as the Action Plan to advocate for cybersecurity policies that best protect the public while remaining feasible for the water sector to implement.
While the Biden Administration and US EPA continue to advance cybersecurity efforts in the water sector, water systems must also regularly appraise their current cybersecurity measures to ensure they are properly preventing, detecting, and responding to cyber threats. There are numerous guidance resources available for utilities seeking to develop strong cybersecurity practices, including the National Institute of Standards and Technology’s Cybersecurity Framework. Frequently evaluating a facility’s cybersecurity techniques will help protect the public from dangerous cybersecurity threats in the future.