An urgent virtual meeting between White House, Environmental Protection Agency and state homeland security and health officials last week emerged against a backdrop of increasing tensions over how to best approach the threat of malicious cyberattacks against the public water industry.
The Biden administration in October 2023 withdrew plans to include cybersecurity as part of periodic audits of public water systems after a successful legal challenge by several states and industry groups before the U.S. Court of Appeals.
The court challenge was led by attorney’s general from Missouri, Iowa and Arkansas and supported by the American Water Works Association and the National Rural Water Association.
However, the threat landscape quickly escalated late last year when threat groups linked to Iran’s Islamic Revolutionary Guard Corps. began targeting the U.S. with attacks against water utilities and other organizations by exploiting vulnerable Unitronics programmable logic controllers.
“The nation’s water systems face cyber threats from criminals and countries alike,” said Anne Neuberger, deputy national security advisor for cyber and emerging technologies, according to a readout provided by EPA. “We must lock our digital doors to meet the threat.”
Neuberger spoke along with EPA Deputy Administrator Janet McCabe to state and local officials from across the country regarding the growing threats to water systems.
The discussion included efforts being made by several states to address the threat to water systems and challenges to access technical expertise and other resources local water systems need.
Neuberger asked each state to share a plan by May 20 for addressing how they are addressing potential cyber vulnerabilities for drinking and wastewater systems and what efforts exist to put protections in place.
EPA officials also outlined additional efforts to create a Water Sector Cybersecurity Task Force.
A spark of tension
The tension between federal agencies and local industry officials is not a surprising or unexpected development, however many of these community water systems lack the funding or expertise to prioritize a full-time cybersecurity expert.
There is also a lack of trust in top down mandates coming from Washington.
“We know that utilities of all sizes today are on the front lines defending themselves against cyberattacks from highly motivated adversaries with financial and political agendas,” Katherine Ledesma, head of public policy and government affairs at Dragos, said via email.
“And especially when we look at the water sector, they face unique challenges in accessing the resources, tools and expertise they need,” Ledesma said. “Small public water systems represent more than 90% of the nation’s community water systems and they simply don’t have the same resources as larger organizations.”
In January testimony before the House Subcommittee on Environment, Manufacturing and Critical Materials, Cathy Tucker-Vogel, public water supply section chief for the Kansas Department of Health and Environment and past president of the Association of State Drinking Water Administrators, raised multiple concerns about the EPA’s push last year for water utilities to conduct mandatory audits, also called sanitary surveys.
“EPA’s recently withdrawn memorandum exceeded the water sector’s capacity and raised significant implementation concerns,” Tucker-Vogel told the House subcommittee in January, according to testimony submitted to the committee, which included multiple letters sent to EPA officials about those concerns.
Among the major concerns raised by state and local officials include the limited amount of funding available for cybersecurity, the limited amount of subject matter expertise and the need for continuous training.
The EPA, Cybersecurity and Infrastructure Security Agency and other agencies provide extensive resources, in the form of vulnerability scanning, tabletop exercises and local funds that are available to water utilities.
The EPA needs to embrace a public-private collaborative model similar to what is used by the electric power industry, according to Mark Montgomery, senior director at the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies.
Montgomery said neither EPA nor the water utilities have the resources to force mandatory inspections of every water utility. But an outside public private organization could be set up to help implement agreed upon assessments, he said
“A public-private collaboration is when you work together, kind of agree to a standard, find a way to get an organization going that can actually do these third-party assessments,” Montgomery said.
Multinational threat to a vulnerable sector
As Moody’s officials noted, the water sector has seen a recent increase in ransomware attacks in the U.S. and in allied nations overseas, as highlighted by recent attacks against the municipal water division of Veolia North America and Southern Water in the U.K.
Cybersecurity officials in the U.K. said they are working diligently to address the growing threats against the water sector.
“We know that the UK’s critical national infrastructure faces an enduring and significant cyber threat from a range of actors and it remains vital that essential service providers take action to bolster their online defences,” a spokesperson for the U.K.’s National Cyber Security Centre said via email.
The NCSC also issued industry guidance in 2023 regarding the threat of malicious attacks targeting users of the Unitronics PLCs. The agency urged organizations to follow the guidance issued by U.S. and Israeli agencies on how to mitigate the threat activity against organizations using the devices. Beyond water, the devices were also used by healthcare, energy and food and beverage companies.
Moody’s sees the water and wastewater sectors as one of the top five industry sectors at the highest risk of attack, according to Phil Cope, VP of Moody’s Ratings.
“The water sector’s exposure is rising as the industry is becoming increasingly digitalized through the installation of data logging equipment and smart meters, a trend we expect to continue given the need to reduce per capita consumption,” Cope said in a statement.
Industry officials said they agree there is a heightened cyber risk against the drinking and wastewater industries, but if the federal government wants to impose new rules for how to mitigate the risk, they need to come up with more resources to support the industry.
“The key thing is that if they really want this to work, they need to pass money to the states,” Alan Roberson, executive director of the Association of State Drinking Water Executives, said.
Source link