EPA Misses Mark With Proposed Cybersecurity Standard

Water sector groups raised concerns earlier this month with the Environmental Protection Agency (EPA) regarding the agency’s pursuit of a new cybersecurity requirement without prior consultation and collaboration with the water sector. While the EPA’s cybersecurity support for the water sector is sorely needed, the agency would greatly benefit from collaborating with water sector experts.

In a letter to Assistant Administrator for Water Radhika Fox, representatives from five water sector associations raised issues about the EPA’s proposal to add cybersecurity to state governments’ sanitation survey assessments, calling it a “top-down, one-size-fits-all” approach that will be “ineffective at improving cybersecurity at water systems.” The letter warns that the approach will likely “fail to have a decisive impact on water sector cybersecurity” and “lack[s] input by water sector subject matter experts.”

As we concluded in a November report published by the Foundation for Defense of Democracies (FDD), the EPA is not equipped to perform the sort of cybersecurity assessment that its own directive would require. The same is true for the state government agencies responsible for sanitation surveys.

The United States has approximately 52,000 drinking water and 16,000 wastewater systems, most of which serve small- to medium-sized communities of fewer than 10,000 residents. A recent survey by the Water Sector Coordinating Council noted that 60 percent of water utilities spend less than 5 percent of their budget on information technology security. Mired in an environment of shrinking budgets and increased cyber vulnerability due to greater automation of systems, water utilities need technical assistance and financial support, not an assessment by inspectors, who would likely be ill-prepared and whose inspections could vary greatly across 50 states.

One positive element of the EPA’s proposal is its recognition that cybersecurity applies to wastewater utilities as much as to drinking water utilities. Our report called for amending the American Water Infrastructure Act of 2018 to include wastewater utilities alongside water utilities when conducting risk and resilience assessments, which include cybersecurity. However, while the EPA’s position is laudable, implementing it via a survey assessment would be problematic.

Instead, the best way to implement this and other U.S. government efforts to improve the water sector’s cybersecurity is through industry-government collaboration aimed at establishing cybersecurity standards, and by funding grant programs to support those efforts. The water associations’ letter itself pledges the sector’s commitment “to a collaborative solution” and requests a conversation with the EPA.

As we stated in the FDD report, the path forward for the U.S. government and this critical-infrastructure sector should also include properly resourcing and organizing the EPA to support the sector’s cybersecurity, creating and funding assistance programs for water and wastewater utilities (similar to those for energy utilities), and providing support to water associations to expand training and technical assistance.

Likewise, Congress should create a joint industry-government cybersecurity oversight program for the water sector. Lawmakers can apply lessons learned from other industry-led approaches to developing cybersecurity regulations, like those in the electricity subsector. Through collaborative efforts, the industry-government oversight program can provide a framework for the EPA to oversee the development and implementation of effective cybersecurity standards, while water and wastewater utilities can receive the federal support they need.

Mark Montgomery serves as senior director of FDD’s Center on Cyber and Technology Innovation (CCTI) and as senior advisor to the chairmen of the Cyberspace Solarium Commission. Trevor Logan is a cyber research analyst at CCTI. For more analysis from the authors and CCTI, please subscribe HERE. Follow Mark and Trevor on Twitter @MarkCMontgomery and @TrevorLoganFDD. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.