Critical Infrastructure Security
,
Governance & Risk Management
,
Operational Technology (OT)
Legal and Voluntary Methods Fall Short
Cyber threats against the U.S. water sector are growing but the main federal regulatory agency that oversees it may be stymied by a lack of cooperation from sector operators, concludes a Government Accountability Office report.
See Also: From Ancient Myths to Modern Threats: Securing the Transition from Legacy to Leading Edge
Water sector associations and water system operators don’t want to collect cybersecurity performance metrics, Environmental Protection Agency officials told the GAO. “These officials said in December 2023 that the agency therefore had no viable route to acquire data and develop water-specific performance metrics,” the congressional watchdog said in a Thursday report.
Politically motivated and ransomware attacks alike against the water sector have mounted steadily (see: Iranian Hacking Group Attacks Pennsylvania Water authority).
Even if not large in number – the GAO said there were five known attacks against water and wastewater systems that occurred from 2019 through 2021 – such attacks hold the potential to damage public health and cause cascading effects on other sectors dependent on a functional water system.
Known attacks include three ransomware attacks in 2021 against water systems in California, Maine and Nevada that affected utility SCADA servers.
The EPA backed down in 2023 an attempt to make cybersecurity a component of federally mandated safety assessments of water systems after federal judges ordered the Environmental Protection Agency to halt those efforts (see: US EPA Nixes Cybersecurity Assessments of Water Systems).
The agency invoked powers earlier this year under the Safe Drinking Water Act to make the security of operational technology a factor in periodic assessments, which the agency calls “sanitary surveys.” A federal judge in a lawsuit brought by rom the attorneys general of Missouri, Arkansas and Iowa, as well as industry lobbying groups American Water Works Association and the National Rural Water Association, stayed the EPA order.
The EPA has said it still “intends to use enforcement authorities to address problems quickly,” but the GAO said that the EPA never provided documentation of which statutory authorities it can invoke to force water systems into improving cybersecurity.
Water system operators and cybersecurity experts say sector resistance to cybersecurity mandates doesn’t come from ignorance of the risk, but from lack of funding. “State and local agencies are chronically tight on funding, and cybersecurity is a line item – an expensive line item – that wasn’t on most agency budgets a few years ago,” said Sean Deuby, principal technologist for the threat mitigation platform Semperis, told Information Security Media Group earlier this year (see: Water Sector Lacks Support to Meet White House Cyber Demands).