Dissecting the Latest EPA Alert: What it Means for Drinking Water Utilities
On Monday, the U.S. Environmental Protection Agency (EPA) issued an enforcement alert outlining the cybersecurity threats and vulnerabilities facing community drinking water systems. It details the necessary steps these systems must take to comply with the Safe Drinking Water Act (SDWA). The EPA issued this alert due to the rising frequency and severity of threats and attacks on the nation’s water system.
Unfortunately, due to a lack of resources, water utilities have been unable to complete some of the basic best practice cyber hygiene activities. This situation is likely to reach a breaking point if not addressed soon.
Challenges in Cybersecurity Compliance
The water sector has talked about cybersecurity for a long time but hasn’t really been incentivized to make sure they were following all standards and meeting compliance. There are several reasons for this.
The goal of larger water utilities is to protect themselves. They can run their systems manually, thinking they can disconnect from the network if there is a problem. The only things that they’re required to provide is water quality reports, usually to a state level entity and a self-assessment letter under the 2018 America’s Water Infrastructure Act (AWIA) on a periodic basis. There are usually multiple water quality reports a day, but they can all be done manually. If the utilities are smaller or owned by a municipal government, then they must report on operational budgetary data about once a month.
Water utilities have traditionally relied on the ability to easily disconnect and operate manually. Most of these water utilities are small, municipally owned, and their funding comes primarily from taxpayers, with occasional grants. Unlike electric utilities, they don’t have access to extensive resources.
Background on Section 1433 of the Safe Drinking Water Act
Section 1433 of the SDWA was amended in 2018 by the AWIA, specifically section 2013. This is the specific legislation that indicated the requirements for drinking water utilities to perform risk and resilience assessments (RRAs) and update emergency response plans (ERPs) in an attempt to comply with NIST-based cybersecurity baseline standards.
This is not new. In 2018 the EPA gave clear indications to the drinking water utilities that the process was going to be entirely self-governed and that they would perform the assessments themselves and then provide a self-certification letter to the EPA. They also gave indications of limited auditing and civil enforcement. In response, the AWWA drafted a legal opinion indicating a fiduciary responsibility between the drinking water utilities and the public. The EPA also stated more than once that they were not going to take strict enforcement action and were going to limit fines for drinking water utilities.
Step forward to 2020, which was the first of the enforcement deadlines for AWIA (referenced here as 1433 of the SDWA), one of the major differences between drinking water and energy utilities is the funding available. Many small community water utilities do not have the financial resources necessary to implement best practices for cybersecurity of an operational technology (OT) system.
A 2022 study by the EPA’s Office of the Inspector General found that EPA did not adequately oversee AWIA compliance (AWIA 2018, which amended section 1433 of the SDWA 2013). What’s important to note is that this alert is not introducing new regulations. Instead, it signifies the EPA’s intention to resume and properly enforce the actions they were originally mandated to carry out.
As recently as three months ago the EPA issued guidance to state and local governments indicating that, due to political reasons, they would not be able to enforce part of the SDWA. Instead, state and local governments should take their own measures to promote the localized implementation of best practices.
A Path Forward
At RSA earlier this month, this specific topic came up. We continue to hear that public/private partnership is one of the primary mechanisms necessary to enable drinking water utilities to have the resources to implement these best practice controls. There are specific software solutions which can be utilized but they frequently require the computer networks of these systems to be, if not redesigned, at least modified and those modifications are costly. In addition, the utilities don’t have the technical expertise necessary to undertake a project of that scale and outside resources are expensive.
There are some specific typical procedures which can be modified without significant costs. These include:
- Moving from shared resource accounts to role-based access control
- Making modifications to both procedure and technical mechanisms for secure remote access
- Implementing the concept of least privilege
- Implementing a visibility solution
- Making specific and active procurement decisions around hardware and software
In addition, these utilities should be partnering with firms who can provide them the specific expertise that they lack if that is a necessity. This is a “better together” story, particularly under the guise of engaging in real-time monitoring to establish a baseline of what is normal activity in the environment so that threats can be identified quickly. I gave a talk about this topic at the RSA conference, and you can listen to this podcast with the Security Ledger where I delve into this better together story and how DirectDefense can assist water utilities. These utilities need help from firms that specialize in OT cybersecurity and engineering firms and SCADA system integrators that can help with the other foundational changes necessary.
At DirectDefense, we offer real-time monitoring of IoT and OT environments by leveraging platforms such as Claroty and SCADAfence. These platforms provide the required visibility and protection and with our 24×7 SOC managing those alerts in partnership with our Connected Systems team, customers can elevate their security posture and increase their cyber resiliency.
Myself and my colleague Jacques Brados, co-contributor of the Operational Guide to AWWA Standard J100 Risk & Resilience Management of Water & Wastewater Systems and lead author of its Cybersecurity section, continue to work with AWWA and a number of engineering firms and integrators to make progress in this space in an attempt to improve cybersecurity hygiene for water and wastewater utilities.