Who’s in Charge of Water Utility Cybersecurity Checks?
Water treatment plants and utilities are at risk for cyberattacks, as demonstrated by an attempted attack at a Florida facility in 2021. But as these utilities’ cybersecurity is in the spotlight, officials are disputing how best to monitor for attacks and vulnerabilities.
Last week, the White House announced that the U.S. Environmental Protection Agency (EPA) will delegate cybersecurity regulation for state water facilities through local sanitation inspections, CyberScoop reported. But this is a large task to put on inspectors’ plates: there are 51,000 drinking water systems in the United States, and around 85 percent of water companies are municipal and very small, with even smaller IT services budgets.
“By not tailoring the approach to better assess and confront different utilities’ cybersecurity needs, and by relying on workers untrained in cybersecurity to carry out audits, industry groups say the EPA could be setting up a system that misses cyberattacks,” CyberScoop said.
Sanitation reviews are usually visual inspections to ensure a utility’s physical equipment is working effectively, so water and cybersecurity experts are skeptical that inspectors would have the base of IT knowledge to effectively assess a utility’s cybersecurity posture.
A @WhiteHouse announcement that the @EPA will delegate #cybersecurity regulation for state water utilities through local sanitation inspections is getting pushback from industry groups and #infosec experts, reports @SuzanneMSmalley.https://t.co/xSHhtd37Z1
— CyberScoop (@CyberScoopNews) August 5, 2022
There are currently no minimum cybersecurity mandates for the water sector in the United States, although the Biden Administration is working to develop and implement some that target the 1,600 water companies that serve large populations.
The details of the EPA’s regulations are still unclear, but the rule will likely be modeled after recently issued regulations for the Transportation Security Administration (TSA) that mandate incident reporting, the creation of emergency response plans, and the implementation of basic technologies such as multifactor authentication, Politico reported.
However, the article continued, “the rule could create new burdens for state utility overseers that have to hire new inspectors, train existing workers on cybersecurity, or readjust inspection schedules to accommodate the new elements of the surveys.”
This could be expensive, though. The EPA has at most $7 million allotted in its annual budget for cybersecurity, but so far that falls far short of the $45 million recommended by the Cyberspace Solarium Commission in a March 2020 report, CyberScoop reported in June.
