Rep. Jim Langevin, D-R.I., is sounding the alarm over what he describes as continued inaction by the Environmental Protection Agency (EPA) to bolster the water sector’s cybersecurity defenses.
Langevin, an influential member of the House Homeland Security Committee and the Cyberspace Solarium Commission (CSC), said in remarks distributed Wednesday that the EPA “faces challenges in meeting its responsibilities” and remains unprepared to defend water infrastructure against cyberattacks.
“Knowing what we know about the cyber threats facing the water sector, this status quo simply cannot continue,” said Langevin, who was speaking at a water sector cybersecurity virtual event hosted by the national security think tank the Foundation for the Defense of Democracies (FDD).
The event, which was pre-recorded Friday and distributed to reporters Wednesday, was focused on an FDD-crafted and water industry-supported proposal for a sector-led water risk and resilience organization that would regulate the water sector’s cybersecurity efforts alongside the EPA.
Langevin said that until the EPA is “appropriately resourced and empowered to fulfill its critical mission” as the risk management agency for water, it will be difficult to improve the sector’s security posture. The water sector is widely seen as alarmingly ill-equipped to fend off cyberattacks, particularly in the aftermath of a cyberattack last year where a hacker raised lye levels at a Florida water plant to 100 times normal levels.
The EPA lacks resources, according to Mark Montgomery, who is the former executive director of the CSC and who now runs the Center on Cyber and Technology Innovation at FDD.
FDD published the November report which first proposed a new model for regulating water sector cybersecurity. What FDD calls a water sector “co-regulatory model” would resemble the Federal Electricity Regulatory Commission’s (FERC) partnership with the North American Electric Reliability Corporation (NERC). The latter is an industry-created nonprofit body that develops cybersecurity standards and other requirements for the electricity sector.
“Our vision here is a sector-led organization,” Montgomery said. “That’s because at this time, without getting to all the nitty-gritty, the EPA’s water cybersecurity team, you can count the total number of people on one hand. Three Finger Brown might have been able to count them all on one hand.”
Montgomery said that his research shows that the EPA’s cybersecurity arm within the Office of Water has at most $7 million in its annual budget for cybersecurity, far short of the $45 million the CSC recommended in its final report in March 2020.
A spokesperson for the EPA declined to comment on the budget and staffing numbers Montgomery cited and would not say how many people work on water cybersecurity nor how much budget the office has.
“The EPA is committed to using its available authorities and resources to strengthen cybersecurity across the water sector,” an EPA spokesperson said in a prepared statement. “Recent events have highlighted the importance of this effort and the agency is taking a multi-pronged approach in close partnership and coordination across the federal government and in collaboration with state agencies.”
The spokesperson said the agency “proactively highlights available tools to assist drinking water and wastewater utilities in preparing for, identifying, responding to, and recovering from cyber-attacks” and has developed a website with updated alerts and tools that utilities can use to improve cyber resilience. The agency is now implementing a plan to help protect water systems from cyberattacks, an effort which the statement said grew out of President Biden’s Industrial Control Systems (ICS) initiative.
But some water industry leaders say the EPA has not been responsive to their input. The EPA ignored outreach from the Association of Metropolitan Water Agencies suggesting a co-regulatory approach of the kind FDD has recommended, according to the organization’s acting CEO Michael Arceneaux, who is also the managing director of the Water Information Sharing and Analysis Center (WaterISAC). He said the EPA approach has been to use a water quality survey to assess water sector cybersecurity readiness.
“We just don’t understand how a sanitarian can determine whether a utility is adequately protecting itself against cyber threats,” Arceneaux said.
He said he supports the co-regulatory model in part because water sector cybersecurity experts are working inside the industry and not at the EPA.
“No one at EPA headquarters has any expertise regulating cybersecurity,” Arceneaux said.
Montgomery said EPA does not provide specific risk identification assessment standards for water sector cybersecurity, a signal that the agency is not doing enough to regulate the industry, he said.
“If you go on the EPA website now, it’s very disconcerting to read the language around assessments where it says, ‘We don’t provide a standard,’” Montgomery said. “It proactively says, ‘Not us,’ and it needs to be proactively ‘us.’ When you look at other sector risk management agencies that are succeeding, they have the opposite approach.”
Montgomery said the sector-led risk and resilience organization proposed by CSC could provide the templates for these assessments. He noted that EPA is supposed to regularly report the risks faced by the water sector to the Department of Homeland Security (DHS). But he said that can’t be happening based on reports from utilities that the EPA is not engaging them on the issue.
The CSC asserted the same, saying in its final report that it found “insufficient coordination between the EPA and other stakeholders in water utilities security.”
A spokesperson for the Cybersecurity and Infrastructure Security Agency (CISA) within DHS said in a prepared statement that the agency is collaborating with the EPA to make improvements.
“CISA has been co-leading a sprint to improve the cyber defenses of the water sector, and we continue to collaborate across government and industry to emphasize that every organization—large and small—must be prepared to respond to disruptive cyber activity,” the statement said.
But water industry leaders and Montgomery said not enough is being done, particularly since the water industry is uniquely fragmented and therefore harder to regulate. The United States has approximately 52,000 drinking water and 16,000 wastewater systems and the majority of service communities with less than 50,000 residents, the FDD report said.
“It’s just a wonder to me that there aren’t many more cybersecurity attacks because they’re only getting more sophisticated and … the implications are very high, very serious,” Arceneaux said.