Missing the Bigger Picture: The EPA Inspection Requirements vs. the Reality of Cybersecurity in the Water and Wastewater Sector
On the heels of the release of the Biden Administration’s National Cybersecurity Strategy, the U.S. Environmental Protection Agency (EPA) released its new requirements for U.S. states to perform inspections of water and wastewater systems for cybersecurity resilience.
The EPA memorandum released on 3 March 2023 establishes that, as part of regular sanitary surveys, states must perform evaluations of the operational technology (OT) around public water systems (PWS). Sanitary surveys are defined by the EPA as an “onsite review of the water source, facilities, equipment, operation, and maintenance of a PWS for the purpose of evaluating the adequacy of such source, facilities, equipment, operation, and maintenance for producing and distributing safe drinking water."
“Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable,” said EPA Assistant Administrator for Water Radhika Fox in a statement about the agency’s memo. “Cyberattacks have the potential to contaminate drinking water, which threatens public health. EPA is taking action to protect our public water systems by issuing this memorandum requiring states to audit the cybersecurity practices of local water systems.”
The Scope of the Challenge
The document provided by EPA for guidance on cybersecurity practices to be evaluated may seem simplistic to modern cybersecurity practitioners. Many of these requirements and controls, however, might be new for some in the public water sector. Cybersecurity is still a novel concept in many of these environments, despite increasing cyberattacks and ransomware incidents in the space. Many public water systems rely on their IT programs to meet cybersecurity requirements in the OT space. But best practices and guidance for how to protect these systems are drastically different than the best practices of your standard corporate IT environment.
Much of the OT that manages U.S. water systems was never intended to be connected to the Internet. Some of this technology is more than 30 years old, and it is therefore difficult to enforce security practices such as multi-factor authentication, patch management schedules, and other key controls. Yet, as recently as a decade ago, utilities sharply increased implementation of Internet-facing technologies to increase operational efficiency. With advances in mobile technology, smartphones, tablets and the portability of smaller laptops, utilities were able to remotely monitor their systems and more efficiently deploy their staff. At the time these technologies were implemented, cyberattacks on industrial networks were virtually nonexistent. Because of that, implementations often comprised low-cost technologies that provided convenient access to a utility’s control system.
Additionally, many public water systems are small municipalities, relying on resource-limited IT departments to manage networks and systems. This means they might lack the key understandings and skill-sets to build the solutions needed for the robust programs the EPA is going to be looking for with its inspection.
And skill-sets are going to be a concern across the board for these new requirements. The American Water Works Association (AWWA) represents more than 4,300 utilities and has approximately 50,000 members representing the water community. It sent a letter to the EPA in January 2023, urging the administration to recall the memorandum. AWWA’s letter asserts that while cybersecurity is a critical need in the space, the cybersecurity requirements in the Sanitary Survey Program are “ill-advised, impractical, and are not designed to meaningfully improve system resiliency.”
The association also highlighted legal flaws in the publishing of the memo, including that if the EPA is to impose requirements, they must satisfy other prerequisites and be subject to judicial review. AWWA also said it is concerned about the suitability of sanitary survey inspectors to perform cybersecurity reviews. To truly understand cybersecurity best practices and to be able to report on gaps in the space will take more than a six-hour training, the AWWA said.
Additionally, water systems have already been provided with assessment requirements. America’s Water Infrastructure Act from 2013 (AWIA) requires a cybersecurity risk assessment every five years for community drinking water systems that serve more than 3,300 people.
While the assessment requirement has resulted in some utilities increasing awareness around their cybersecurity posture and developing capital plans to implement improved security practices, its limited enforcement makes it effectively a box-checking exercise.
Ultimately, public water systems need assistance to implement even the most basic of cyber hygiene practices. While the Biden Administration provided $1 billion for state and local grants to improve cybersecurity in 2022, small municipalities and localities do not have the staff needed to write the grant applications that would bring this money to the areas of greatest need. Furthermore, even if they were to have the grant-writing capacity through volunteerism or a council member with a grant background, the staffing needed to implement cybersecurity, the education requirements, and the technology itself may be prohibitive for most organizations.
Massive overhauls of cybersecurity environments, to include the physical separation of OT and IT networks, along with locking down remote access to the OT network successfully, likely cost more than may be be awarded from the grant—meaning it would have to be added to capital improvement plans. With many utilities relying on antiquated technology, cybersecurity will take a significant back seat to improving the actual systems that treat and process water.
There is also the pervasive belief within the sector that “this won’t happen here” or that existing measures are “good enough.”
For example, with modern secure remote access being less convenient (requiring multiple levels of authentication), and certainly more costly to implement and maintain, many utilities are faced with the decision as to whether the efficiency the existing technology provides is worth the required investment. This may lead to many utilities “air gapping” their systems, at a risk of providing a false sense of security that policies, security controls, and patching programs are not required.
Addressing New Risks
In looking at ransomware incidents and compromises in the water sector, it’s past time to accept that everyone is susceptible. Industrial cybersecurity firm Dragos recently reported on the detection of PIPEDREAM, a ransomware directly targeting industrial control system (ICS) devices, which suggests that attackers are increasingly looking to target OT spaces—water included.
What is truly needed for successful cybersecurity improvements in the water and wastewater space is more commitment to public/private partnerships. With organizations like the WaterISAC, awareness and education on key cybersecurity topics is growing in the space, but technical partnerships are necessary to protect the critical water supplies everyone depends on.
Dragos has made waves in this arena by establishing OT-CERT , a program providing free cybersecurity resources to the ICS/OT community. This program is targeted at small municipalities and state systems that may not be able to afford key cybersecurity tooling or staffing. It includes, among many other benefits, a free Dragos monitoring sensor for those small organization members. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) also has resources for penetration tests and risk assessments, but more is needed from leaders in the cybersecurity space to ensure affordable solutions are available to these stakeholders.
Education of ICS professionals and a commitment to improving the cybersecurity baked into new OT devices are essential to improving this space. At present, there are minimal certification training programs for OT cybersecurity such as ISA/IEC 62443 or SANS GICSP. These programs can often be cost prohibitive with memberships, trainings, and continuing education requirements. Traditionally, most OT professionals hold degrees and training in electrical engineering focused disciplines as opposed to having cybersecurity or network engineering backgrounds; this presents an enormous challenge. There’s already a significant gap in the cybersecurity professionals’ space, but the unique understanding of OT is even more rare and challenging to individuals who may have only seen a mature IT cybersecurity program and expect an apples-to-apples approach.
Maturing the Environment
If grants, partnerships, and technology are in place, the final hurdle for stakeholders is to ensure that the inspections are not just a box-checking exercise. Many times, even in corporate IT, inspections, audits, and other compliance checks are just this. While they meet the requirements of the inspection, they are still open to vulnerability, can still be compromised, and can pose dangers to national security.
In an ideal situation, the inspections would create an opportunity to progress and mature the cyber environment. There would also be accountability related to the results of these inspections, and requirements for improvement of the key areas of impact to protect these critical systems. Instead, they need to be an opportunity to progress and mature the cyber environment.
The EPA inspection requirement is a good step in the right direction, but there are many other components that also need to be put into place for it to be truly successful. Only time will tell whether this effort will be triumphant, or if the results will be placed in yet another Excel spreadsheet sitting in an untouched folder.
Mea Clift, CISSP, PMP, CRISC, CISA, CISM, FAIR, is the cybersecurity program manager at Woodard & Curran. With 25 years in information technology, Clift has extensive experience with cybersecurity and risk management. Beginning in desktop support, she moved into servers, then managed services, cloud services, and finally focused on cybersecurity and risk management. Clift’s IT experiences gave her a unique perspective on cybersecurity and allowed her to see the full spectrum and lifecycle of cybersecurity management. Passionate about helping the next generation of cyber professionals, Clift writes articles, provides presentations on cyber risk topics, and mentors for Cyversity and ISACA.
Tim Maynard, GICSP, P.E., is a senior technical manager at Woodard & Curran. He has 20 years of experience in the design, programming, and implementation of control systems within the industrial, manufacturing, and municipal water markets. As network engineering technologies have become more prevalent within automation and control systems, Maynard has become a leader in the architecture and implementation of cybersecurity solutions for operational technology. He has presented on cybersecurity best practices for municipal water systems at several conferences such as ACE, NEWEA, and NEWWA.