The Environmental Protection Agency's effort to secure the country's water supply from cyberattack faces giant hurdles.
They include: The water system's low government funding and staffing levels, a heavy reliance on legacy IT, and the patchwork nature of the tens of thousands of local U.S. water authorities.
Driving the news: The EPA submitted its initial plan for tackling water security to Congress last month, laying out which systems it would slot for technical assistance first during a cyberattack.
- The agency is expected to roll out new rules this fall requiring state officials to include cybersecurity concerns in their existing water inspections, an official told E&E News.
Between the lines: The EPA faces different challenges than other agencies writing cybersecurity rules for the utilities they regulate because the U.S.'s water systems are so widely distributed and isolated.
- The country has roughly 148,000 public water systems.
- Most of those water systems operate through state and local governments that have their own budget constraints and priorities.
Those states and cities need to have the resources and motivation to prioritize water cybersecurity to make any blanket EPA federal regulations effective, says Padraic O'Reilly, co-founder and chief product officer at critical infrastructure cyber firm CyberSaint Security.
- Bryan Ware, former assistant director of cyber at the Cybersecurity and Infrastructure Security Agency, tells Axios that water system operators in small to medium-size towns have small IT teams, making it difficult for them to prioritize cyber protections.
Threat level: While the distributed water system makes it nearly impossible for a malicious hacker to take down the entire U.S. supply in one fell swoop, hackers can still wreak havoc on small to medium-size towns' water supplies.
- In February 2021, a hacker was able to break into the computer system running the water system serving 15,000 people in Oldsmar, Florida, and tamper with the amount of sodium hydroxide in the supply.
- Last month, a U.K. water supplier serving 1.6 million people said its offices were disrupted after a cyberattack.
The intrigue: The EPA faces its own resource shortages, hindering its ability to establish and enforce tough cybersecurity rules for water systems.
- At least one estimate suggests the agency spends $7 million on cybersecurity operations within the Office of Water. Experts say that's nowhere near enough.
- The EPA has asked Congress for more in next year's budget, including $25 million for a new grant program to build out and improve water cybersecurity infrastructure.
Yes, but: The EPA can still get creative with its regulatory approach.
- In its August report to Congress, the agency said that it plans to work with CISA to help water systems mitigate and recover from a cyberattack.
- Politico reported last month that the agency is eyeing rules similar to the TSA guidelines for pipelines, which are more flexible and allow operators to submit their own plans for addressing common cybersecurity problems.
- Industry groups like the American Water Works Association have been pushing the EPA to lean more on CISA’s free resources for critical infrastructure providers, including providing cyber hygiene scans.
- A spokesperson for the National Security Council tells Axios the White House and EPA are working with Congress on solutions to help better train and staff water security professionals.
What's next: The EPA is still mulling what form broad federal rules for water operators should take, as federal officials work to help low-resourced water operators make cybersecurity a higher priority.
- As Congress returns from summer recess this week and begins budget talks, funding the EPA's cybersecurity efforts will be one item on the long agenda.