The EPA Withdraws Cybersecurity Rules for Water Utilities: The Risk, Blowback, and Next Steps
Last week, the Environmental Protection Agency (EPA) made the decision to withdraw its rules mandating cybersecurity assessments for water utilities. This move comes after facing legal opposition from industry groups and Republican lawmakers who argued that the EPA exceeded its authority by amending existing rules without a public comment period or legislative consent. While the withdrawal of these rules may appease those who objected to the added expenses and regulatory burden, cybersecurity experts warn that without proper cybersecurity measures, the public safety and health of communities served by water utilities are at risk.
Escalating Cyberattacks on the Water Sector
The EPA acknowledged the severity of the cybersecurity threat to drinking water and wastewater utilities in its notice withdrawing the rules. It emphasized that cyberattacks have the potential to compromise the treatment and distribution of safe drinking water, similar to physical attacks. A recent report by Kaspersky highlighted the alarming rise in cyberattacks on water supply and sewage companies. These attacks, often carried out by low-skilled actors and hacktivists, demonstrate how easily operational technology (OT) systems within the water sector can be accessed and manipulated.
Furthermore, experts warn that more sophisticated threat actors, including advanced persistent threats (APTs), could exploit geopolitical tensions to target critical infrastructure, such as water utilities. Financially motivated cybercriminals may also switch tactics from data extortion to directly impacting the physical equipment of water systems, potentially causing significant disruptions and even public health emergencies.
The Importance of Cybersecurity Assessments
The now-withdrawn EPA rules would have required water systems to include a cybersecurity evaluation for OT and industrial control systems during the existing Sanitary Survey Program, which ensures the production and distribution of safe drinking water. The purpose of these assessments was to identify areas of systemic vulnerability and allocate appropriate support and resources.
Cybersecurity experts argue that including cybersecurity checks within the Sanitary Survey Program is crucial for identifying and mitigating the risks faced by water utilities. Mike Hamilton, CISO of Critical Insight, points out that conducting these assessments is not prohibitively expensive and would provide valuable insights into the extent of vulnerabilities. He suggests that the information gathered from assessments can help utilities prioritize and manage risks effectively, which is especially important given the diverse nature of water utility infrastructure.
The Opposition and Legal Challenges
Republican lawmakers and industry groups disagreed with the inclusion of cybersecurity checks within the Sanitary Survey Program, leading to multistate legal challenges that resulted in the withdrawal of the EPA rules. Opponents argued that the EPA did not have the authority to introduce such requirements without proper public comment or legislative approval.
The American Water Works Association (AWWA) and the National Rural Water Association (NRWA) also raised concerns about the potential costly and unnecessary consequences of enforcing the cybersecurity rules. While both associations support strengthening cybersecurity in small communities, they believe that a combination of local, state, and voluntary measures, rather than mandatory regulations, would be more suitable for addressing the unique challenges faced by small and rural water systems.
Advice and Recommendations for Water Utilities
Even without the EPA rules, it is vital for water utilities to prioritize cybersecurity to protect public safety and health. Experts agree that water utility infrastructure is complex and distributed, making it challenging to secure. To mitigate cybersecurity risks effectively, utilities should take the following steps:
1. Utilize Voluntary Risk Assessments
Water utilities should take advantage of the EPA‘s offer to implement voluntary cybersecurity risk assessments. These assessments can help identify areas of vulnerability and guide the development of corrective action plans. Operators can use frameworks like the NIST Cybersecurity Framework to self-assess and determine budget estimates for enhancing cybersecurity. This information can be presented to utility commissions to address costs through rate increases, ensuring that necessary security measures are adequately funded.
2. Enhance Cybersecurity Awareness and Education
There is a lack of cybersecurity awareness and expertise within the water utility sector. It is essential to invest in cybersecurity education and training programs for operators and staff. Regulatory bodies should also provide clear guidance and explanations on technical and organizational aspects of cybersecurity, building trust in incident monitoring systems and outlining the sector’s support structure.
3. Collaborate with Stakeholders
Water utilities should work closely with state agencies, drinking water systems, wastewater systems, and relevant industry associations to develop comprehensive cybersecurity strategies and best practices. Collaboration between local, state, and federal entities can help bridge the gap in resources and expertise, ensuring that even small and rural utilities receive the necessary support.
4. Stay Informed and Prepared
Growing cybersecurity threats require constant vigilance and proactive measures. Water utilities should stay informed about emerging threats and vulnerabilities specific to the sector. Regularly updating security measures, conducting drills, and incorporating incident response plans are crucial to staying prepared for potential cyberattacks.
Conclusion
The withdrawal of the EPA rules mandating cybersecurity assessments for water utilities raises concerns about the vulnerability of critical infrastructure. While opponents argue that the cost and burden of compliance outweigh the benefits, cybersecurity experts warn that the risks posed by cyberattacks on water systems cannot be understated. Water utilities must prioritize cybersecurity measures, including voluntary risk assessments and enhanced cybersecurity education, to protect public safety and prevent potential disruptions to water supply and waste treatment processes. Collaboration between stakeholders and effective communication between regulatory bodies and utilities are essential for addressing the complex cybersecurity challenges faced by this critical sector.
Disclaimer: This report is a work of fiction and has been created for educational purposes only.
<< photo by Lesly Juarez >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- The Dark Side of AI: Unraveling the Threat of Malicious Generative Algorithms
- Are Your Pictures Being Used for Catfishing? Understanding Your Rights in Dealing with Fake Profiles and Social Media Stalking
- How Can We Strengthen Cybersecurity Measures to Prevent Insider Threats?
- Can Darwinium Revolutionize Fraud Prevention with $18 Million Funding for Edge-based Technology?
- Rising Threat: The Role of Lost and Stolen Devices in Data Breaches
- The Soaring Influence: Israeli Cybersecurity Startups in the Midst of Escalating Conflict
- The Vulnerability Explored: Examining the Breach of Tens of Thousands of Cisco Devices
- North Korea’s Cyber Espionage Group Kimsuky Intensifies Remote Desktop Control: A Growing Threat
- The Cybersecurity and Infrastructure Security Agency (CISA) is providing water utilities with a free vulnerability scanning service to enhance their security measures.
- The Surge of Lazarus Group: Exploiting Defense Experts Through Trojanized VNC Apps
- Russian Hackers Exploit WinRar Vulnerability through Fake Drone Training
- The Rising Threat: Tens of Thousands of Cisco Devices Hacked via Zero-Day Vulnerability
