Who should be in charge of protecting our water systems from cyber threats?

Erik Isakson/Getty Images

 

Connecting state and local government leaders

Federal officials don’t agree. Recent hacks on water systems exposed their vulnerabilities. But while some want the EPA to play a stronger role, others emphasized that local systems are best suited to defend themselves.

Who should ensure our critical water infrastructure is protected from cyberattacks? The water systems themselves? Or the Environmental Protection Agency?

A hearing last week before the House Energy and Commerce subcommittee showed there is little agreement on what role the federal government should play, if any. But the hearing did highlight the ongoing vulnerabilities in the sector.

It followed a November attack on the Municipal Water Authority of Aliquippa in Pennsylvania, which had its water management system breached by the Iran-linked Cyber Av3ngers gang. The attack prompted calls for a federal investigation into the attack, as lawmakers said Congress must act to bolster cybersecurity protections for a sector that is often underfunded, understaffed and wrestling with aging technology. 

On Friday, the Treasury Department sanctioned several Iranian cyber officials tied to the water system hacks.

“Thankfully, the attack did not interrupt my constituents’ water service or compromise their personal information, but such risks are obvious,” Democratic Rep. Chris Deluzio of Pennsylvania wrote in a recent letter. “Any attack on our nation’s critical infrastructure is of significant concern, and Congress must work in a bipartisan way to ensure water systems and others have the necessary protections.”

During the hearing, there were several references to the EPA’s now withdrawn proposal to include cybersecurity audit requirements for water utilities as part of their sanitary surveys, which review a public water system every three years to assess its ability to provide safe drinking water.

The EPA withdrew the memo amid legal challenges from Arkansas, Iowa and Missouri, which had argued that beefing up cybersecurity requirements would be challenging for financially-strapped water systems, and they would in turn end up passing increased costs to consumers. Opponents also argued that water systems lacked the staffing and expertise to carry out more stringent cybersecurity assessments, and said that the results could be exposed.

Currently, drinking water systems that serve more than 3,330 people must review every five years their vulnerability to attacks and incorporate those findings into their emergency response plans under a section of the 2018 America's Water Infrastructure Act.

Committee Chair Cathy McMorris Rodgers said the existing arrangement “ensures water facility operators are better prepared to mitigate threats, while also protecting them from cumbersome and ill-suited regulations that could hinder their ability to quickly respond when threats do arise.”

Water industry representatives testified that were Congress to mandate a larger role for the EPA in protecting water systems’ cybersecurity, there would need to be much greater coordination and collaboration with the state agencies that regulate water systems. 

Cathy Tucker-Vogel, past president of the Association of State Drinking Water Administrators and public water supply section chief at the Kansas Department of Health and Environment, said a sector-wide response to cybersecurity would be “impossible” without that collaboration.

“Any national approaches to cybersecurity must harmonize with existing state approaches, to avoid duplication of effort or confusion, and allow sufficient flexibility to enable primacy agencies to engage effectively with [public water systems],” Tucker-Vogel continued in her written testimony.

Water systems’ approach to cybersecurity varies depending on the amount of money and staff they can dedicate to the threat. A 2021 survey conducted by the Water Sector Coordinating Council found that nearly 60% of respondents address cybersecurity in their overall risk assessments, but less than half—38%—have identified their networked assets and 22% are working to identify them.

Scott Dewhirst, superintendent of Tacoma Water in Washington state and a board member at the Association of Metropolitan Water Agencies, testified that utilities must take better advantage of existing resources and recommended participation in the Water Information Sharing and Analysis Center, or WaterISAC, to encourage utilities to collaborate and share information on threats. 

Dewhirst also urged incentivizing the adoption of best practice and funding for the EPA’s cyber resilience program that was authorized in the 2021 bipartisan infrastructure law. “We have an opportunity to make progress across the sector,” Dewhirst said in his written testimony.

Democrats on the subcommittee reiterated their desire to see the EPA play a bigger role in helping water systems’ cybersecurity. Committee Ranking Member Frank Pallone said lawmakers must help ensure the agency has “the necessary tools and can leverage sector-specific expertise and institutional knowledge to adequately prevent and respond to cybersecurity concerns.” 

With the support of elected officials, the EPA can provide more robust cyber defenses in partnership with other federal agencies and the private sector, he said.

“EPA has the institutional knowledge and expertise to engage with water systems and other federal partners to address complex, sector-specific threats,” Pallone said. “Currently, EPA provides technical assistance, education and resources to help water systems bolster cyber protections.”

Republican subcommittee members were unconvinced about letting the EPA play a bigger role in cybersecurity. Chair Buddy Carter of Georgia said the sector is already a “willing partner” and keen to work jointly with the EPA and the Department of Homeland Security in an “environment of collaboration.”

“Water systems have an inherent interest in defending themselves from cyber threats and protecting the safety of the water for their customers,” Carter said in his opening statement. “They do not need Washington agencies to remind them of this. What they need is the technical knowledge and resources that help them protect themselves."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.