EPA Turns Off Taps on Water Utility Cyber Regulations

TL;DR: Facing legal challenges from state AGs and water associations, the EPA decided to give up its fight to mandate cyber-risk assessments for water utilities — for now. Experts warn that the sector is woefully at risk for escalating cyberattacks, and they explain why and offer insights for what utilities should do next.

The Environmental Protection Agency last week withdrew rules governing cybersecurity standards for the public water sector, after industry groups and Republican lawmakers brought litigation on the issue. But cybersecurity experts warn that public safety and health is at risk without cyber improvements in the sector, as cyberattacks threaten to flow freely.

The now-defanged rules were established in a March 3 interpretive memorandum (PDF), and they would have required water systems to include a cybersecurity evaluation for operational technology (OT) and industrial control systems (ICS) during any sanitary survey.

The Sanitary Survey Program requires periodic, mandated onsite reviews of the water source, facilities, equipment, operation, and maintenance of a system to make sure that it can produce and distribute safe drinking water. The cyber dimension is an augmentation of the existing rule that the EPA added, thus circumventing the usual, politically charged rulemaking process for introducing new regulation.

According to Mike Hamilton, CISO of Critical Insight, the augmentation is "just a requirement to assess each environment and provide those results to the EPA," adding that the ask is "truly not hard or expensive to meet." The exercise would allow the federal government to determine the extent to which support (through grants, for example) should be allocated, he says, and "more importantly, the aggregate results would identify areas of systemic vulnerability that could be addressed as a priority." 

However, others in the political and policymaking world disagree on the need for the requirements as they were proposed — specifically three state attorneys general and a pair of industry groups.

EPA Blowback From Industry, Conservatives

The sanitary surveys aren't going away, but including cybersecurity checks within them is a bridge too far, argued Republican lawmakers, who quickly mounted a multistate legal challenge to the augmentation of the Sanitary Survey Program, arguing that the EPA has no right to simply amend existing rules without a public comment period or legislative approval.

They also argued that the cost of considering cybersecurity as part of sanitary checks would be prohibitive — although estimates as to the cost of the reviews have not been made public.

"Rather than cleaning up our water, the federal government is hurting Iowa's small towns," said Iowa Attorney General Brenna Bird, in a statement made in April after joining the litigation. "At a time of soaring inflation, where it's hard enough to make ends meet, the federal government insists on making Iowans' water bills more costly. We're going to hold the Biden Administration accountable and protect Iowans' pocketbooks."

The American Water Works Association (AWWA) and the National Rural Water Association (NRWA) meanwhile in July won a petition to the US Court of Appeals for the Eighth Circuit to stop the cybersecurity rules from going into effect until the litigation was complete.

"NRWA commends the court for issuing this stay preventing EPA from enforcing the Cybersecurity Rule until it is determined if it has been lawfully implemented," said NRWA CEO Matthew Holmes in a statement at the time. "While NRWA fully supports efforts to strengthen cybersecurity in small communities across the country, enforcing this regulation is not the best way to help small and rural systems, and could have costly and unnecessary consequences."

In absence of cybersecurity mandates, the EPA is hoping to work with states, drinking water systems, and wastewater systems to implement voluntary measures, including conducting cybersecurity risk assessments and providing user training.

"There are upwards of 150,000 water facilities in the US. Expecting a small, rural water board to be able to operate under the same requirements, cyber or otherwise, as New York City is presently unrealistic," says Stephen Mozia, OT cybersecurity practice leader at Optiv. "A combination of local, state, and federal regulations and voluntary measures, such as investing in cybersecurity best practices, can bridge the gap in the long term."

Cyberattackers Look to Make Waves

The developments come as threats to water utilities continue to lurk on the edges of the critical infrastructure landscape.

"Cybersecurity represents a serious and increasing threat to drinking water and wastewater utilities," according to the EPA's recent notice withdrawing the rules (PDF). In the March memo, it put a finer point on the problem: Cyberattacks have the "same or even greater potential to compromise the treatment and distribution of safe drinking water as a physical attack," it warned.

Indeed, Kaspersky's 2023 H1 incident overview report on ICS systems showed that water supply and sewage companies were among the most-attacked critical infrastructure industries, with four officially confirmed incidents. In one instance, Galil Sewage Corp. in Israel's Galilee region confirmed that an attack targeted its programmable logic controllers (PLCs), which led to a temporary halt of its irrigation operations.

Evgeny Goncharov, head of Kaspersky ICS CERT, notes that the water system attacks were carried out by low-skilled actors and hacktivists, demonstrating how easy it is to access and manipulate OT systems.

"As the time passes, we see that both the hacktivists evolve, and more and more attacking tools and knowledge becomes available for them," he warns.

APTs could get into the mix too, he adds: "The geopolitical tensions may change everything in a minute — should another state decide attacking critical infrastructure of a 'non-friendly country' is not a taboo anymore."

To boot, financially motivated actors could be another risk.

"Cybercriminals may decide that the current most common monetizing scheme (data lock and/or extortion for ransomware and resale) is not efficient anymore [and] they may switch to locking physical equipment … which would be way more devastating than the current [ransomware attacks]," he says.

Unwanted outcomes could include loss of water quality through compromise of chemical injection and filtration processes, complete loss of availability of control systems and the need to revert to manual processes (traveling to manually open valves, measuring water levels), and, importantly, "disruption to waste treatment processes (also part of the water sector) that can very rapidly devolve into a public health emergency," Critical Insight's Hamilton points out.

Water System Cybersecurity Takes Long-Term Vision

While security researchers note that the EPA's heart is in the right place, securing and hardening water infrastructure is an incredibly complex task that will require a mesh of different yet related courses of action, and a good amount of industry-sector education.

"Water utility infrastructure is something not that easy to secure because of its diverse and distributed nature," explains Goncharov. "Lots of small and midsize objects equipped with different OT systems by multiple vendors, normally outdated, with various type remote connections. The other problem would be lack of qualified cybersecurity specialists to manage all the infrastructure security and the general low cybersecurity culture of personnel."

To get arms around the problem, Hamilton recommends that utilities first take the EPA up on its offer to support voluntary risk assessments. While funding is there for some improvements — the Cybersecurity for Rural Water Systems Act of 2023 has earmarked $7.5 million for rural water systems security, for instance — operators need to determine how to spend it.

"Operators are fully capable of using the NIST Cybersecurity Framework (CSF) to self-assess, identify areas of risk, and develop a corrective action plan with budget estimates," he says. "This information could be brought to the utility commissions that manage rates and potentially address the costs through rate increases. This assessment is not difficult, can be performed over one or two days, and would help the operators understand more broadly how to manage risk in these environments."

In addition, security specialists and government resources should put effort into deep cybersecurity awareness programs.

"Operators of water utilities, and especially the small and rural utilities that raised the objection regarding costs of assessments, generally come from a background in the trades and not information technology and are not versed in cybersecurity," Hamilton says. "Risk management is typically aligned with physical security to the exclusion of IT and OT."

Kaspersky's Goncharov suggests that regulatory bodies also "should do the hard work of preparing answers and how-tos to all the most common questions, explaining to the organizations both things technical (such as how the state/central incident monitoring system is secured and why they should trust it, and how it would be supporting the sector); and organizational/financial."