The vast majority of Americans get their drinking water from public water systems, which are increasingly vulnerable to cyber attack thanks to reliance on automated, connected systems. ESG columnist John Peiserich explores a new EPA mandate designed to ensure these systems are secure.
About nine in 10 people in the U.S. get their drinking water from a public water system, with some 150,000 systems supplying that natural resource. Annually, systems are required to release a consumer confidence report, which includes items like contaminants present in the water and educational information on areas where contaminants may be of concern.
In the past several years, information technology systems have been increasingly built into public water systems to enhance treatment and delivery. However, introduction of technology also presents potential risk. Infrastructure elements, including water processing and delivery, have traditionally struggled with the concept of integrating information technology (IT) with operational technology (OT). This integration becomes even more challenging with the introduction of Internet of Things devices added to the PWS ecosystem.
These IT and OT advancements, including industrial control systems and supervisory control and data acquisition systems (ICS/SCADA), which can automate many elements of OT and improve the ability to monitor and control, can also increase risk. The potential risk is not just a systems breach but the interruption of critical services vital to our country, including power, telecommunications, roadways and, yes, water.
Like other government and municipal entities, water utilities have budget limitations. Accordingly, introducing new IT that requires ongoing updates, monitoring and maintenance, necessitates additional investment to defend against public safety and national security threats to these critical infrastructure elements.
The Safe Water Drinking Act (SDWA), under which the EPA exercises its oversight authority of the nation’s water supply, which requires states to conduct periodic audits or “sanitary surveys” of public water systems (PWSs), including the equipment and operation of the systems, also requires states to evaluate the cybersecurity of water systems, according to an EPA memo released in March.
EPA’s memo, released a day after the Biden Administration published a comprehensive cybersecurity plan for government agencies, industry, schools, hospitals and other key infrastructure, states, “While PWSs have taken important steps to improve their cybersecurity, a recent survey and reports of cyber-attacks show that many PWSs have failed to adopt basic cybersecurity best practices and consequently are at high risk of being victimized by cyber attack — whether from an individual, criminal collective or a sophisticated state or state sponsored actor.”
It is a horrible day when corporate America is attacked; it can be deadly if water supplies are impacted.
How will states conduct cybersecurity reviews?
The memorandum allows states to adopt one of three options for incorporating cybersecurity review into PWS sanitary surveys. States may utilize 1) PWS or third-party assessment, 2) state evaluation during the sanitary survey or 3) an existing state water system cybersecurity program that is at least as stringent as a sanitary survey. Importantly, if a state allows PWSs to conduct their own cybersecurity evaluations or hire a third party, the assessment must be completed prior to the state sanitary survey. The state may also require the PWS to develop a risk mitigation plan prior to the sanitary survey to address any cybersecurity gaps that are identified during a self-assessment. Any method used for self-assessment would need to be conducted using a government or other state-approved method. Any private third party conducting the assessment would similarly need to be approved by the state.
What is the immediate industry response?
Industry response to the EPA’s new cybersecurity assessment requirement for PWSs has been mixed. Mike Hamilton, former chief security officer for the city of Seattle, commented that limiting approved assessment methodology to government or state-approved methods “make[s] this activity hard to scale across the breadth of water utilities across the country.” Tracy Mehan, executive director of government affairs at the American Water Works Association, similarly warns that the plan puts states in a tough position by directing that cybersecurity reporting should start immediately.
Integration of the EPA’s new cybersecurity assessment into PWS operations may depend on the current state of the utility. Facilities with integrated IT and OT that have any outward or public facing network elements likely already have a robust cybersecurity program. If not, they will likely have a steep hill to climb to successfully complete the EPA’s mandated cybersecurity assessment and will need to begin securing their networks expeditiously.
If IT and OT are still separated, there may be less risk of a significant gap now being identified during state sanitary surveys, but this does not mean that immediate action will not still be necessary; rather, the potential impact of a cyberattack is segregated based on the isolated nature of the OT environment. Action to protect internet facing network elements will still be required. If a utility cannot bill or track service, it is effectively shut down, which may present a public safety or national security threat.
Conversely, reliance on the EPA’s memorandum alone may not be enough to secure the nation’s water supply. Tied to the current requirements for community and non-community state sanitary surveys, PWS cybersecurity assessments will be necessary once every three or five years, or more frequently where appropriate. Cybersecurity good practices typically suggest more frequent and ongoing assessment.
What can PWSs do now to accelerate compliance?
With its memo, EPA provides an optional checklist that states may use during a sanitary survey to evaluate the cybersecurity of a PWS’s operational technology. Prior to the rule coming into effect, if a state does not elect to implement a self- or third-party assessment, PWSs should give serious consideration to this checklist and take steps to develop a plan that includes creating internal accountability and conducting an informal cybersecurity review sufficiently in advance of any upcoming sanitary survey to allow for implementation of corrective good practices prior to state assessment.
For some PWSs, this will be starting from scratch. They should start with the EPA questions below and other free tools available to establish a picture of the current state and begin working on enhancing their ability to defend against and respond to cyberattack.
- Does the PWS detect and block repeated unsuccessful login attempts?
- Does the PWS change default passwords?
- Does the PWS require multi-factor authentication wherever possible but at a minimum to remotely access PWS operational technology (“OT”) networks?
- Does the PWS require a minimum length for passwords?
- Does the PWS separate user and privileged accounts?
- Does the PWS require unique and separate credentials for users to access OT and IT networks?
- Does the PWS immediately disable access to an account or network when access is no longer required due to retirement, change of role, termination or other factors?
- Does the PWS require approval before new software is installed or deployed?
- Does the PWS disable Microsoft Office macros, or similar embedded code, by default on all assets?
- Does the PWS maintain an updated inventory of all OT and IT network assets?
- Does the PWS prohibit the connection of unauthorized hardware to OT and IT assets?
- Does the PWS maintain current documentation detailing the set-up and settings of critical OT and IT assets?
- Does the PWS collect security logs to use in both incident detection and investigation?
- Does the PWS protect security logs from unauthorized access and tampering?
- Does the PWS use effective encryption to maintain the confidentiality of data in transit?
- Does the PWS use encryption to maintain the confidentiality of stored sensitive data?
Governance and training
- Does the PWS have a named role/position/title that is responsible and accountable for planning, resourcing, and execution of cybersecurity activities within the PWS?
- Does the PWS have a named role/position/title that is responsible and accountable for planning, resources, and execution of OT-specific cybersecurity activities?
- Does the PWS provide at least annual training for all PWS personnel that covers basic cybersecurity concepts?
- Does the PWS offer OT-specific cybersecurity training on at least an annual basis to personnel who use OT as part of their regular duties?
- Does the PWS offer regular opportunities to strengthen communication and coordination between OT and IT personnel, including vendors?
- Does the PWS patch or otherwise mitigate known vulnerabilities within the recommended time frame?
- Does the PWS ensure that assets connected to the public Internet expose no unnecessary exploitable services?
- Does the PWS eliminate connections between its OT assets and the internet?
Supply chain/third party
- Does the PWS include cybersecurity as an evaluation criterion for the procurement of OT assets and services?
- Does the PWS require that all OT vendors and service providers notify the PWS of any security incidents or vulnerabilities in a risk-informed timeline?
Response and recovery
- Does the PWS have a written procedure for reporting cybersecurity incidents, including how and to whom?
- Does the PWS have a written cyber security incident response plan for critical threat scenarios which is regularly practiced and updated?
- Does the PWS have backup systems necessary for operations on a regular schedule, store backups separately from the source systems, and test backups on a regular basis?
- Does the PWS maintain updated documentation describing network topology across PWS OT and IT networks?
- Does the PWS segment OT and IT networks and deny connections to the OT network by default unless explicitly allowed?
- Does the PWS keep a list of threats and adversary tactics, techniques, and procedures for cyberattacks relevant to the PWS and have the capability to detect instances of key threats?
- Does the PWS use email security controls to reduce common email-based threats, such as spoofing, phishing and interception?