ENVIRONMENTALLY FRIENDLY Protection Agency’s effort to secure the country’s water supply from cyberattack faces giant hurdles.
They include: The water system’s low government funding and staffing levels, much reliance on legacy IT, and the patchwork nature of the thousands of localU.S. water authorities.
Driving the news headlines: The EPA submitted its initial arrange for tackling water security to Congress last month, installation of which systems it could slot for technical assistance first throughout a cyberattack.
- The agency is likely to roll out new rules this fall requiring state officials to add cybersecurity concerns within their existing water inspections, the official told E&E News.
Between your lines: The EPA faces different challenges than other agencies writing cybersecurity rules for the utilities they regulate as the U.S.’s water systems are so widely distributed and isolated.
- The united states has roughly 148,000 public water systems.
- The majority of those water systems operate through state and local governments which have their very own budget constraints and priorities.
Those states and cities have to have the resources and motivation to prioritize water cybersecurity to create any blanket EPA federal regulations effective, says Padraic O’Reilly, co-founder and chief product officer at critical infrastructure cyber firm CyberSaint Security.
- Bryan Ware, former assistant director of cyber at the Cybersecurity and Infrastructure Security Agency, tells Axios that water system operators in small to medium-size towns have small IT teams, rendering it problematic for them to prioritize cyber protections.
Threat level: As the distributed water system helps it be extremely difficult for a malicious hacker to remove the complete U.S. supply in a single fell swoop, hackers can still wreak havoc on small to medium-size towns’ water supplies.
- In February 2021, a hacker could break right into the computer system running the water system serving 15,000 people in Oldsmar, Florida, and tamper with the quantity of sodium hydroxide in the supply.
- Last month, a U.K. water supplier serving 1.6 million people said its offices were disrupted following a cyberattack.
The intrigue: The EPA faces its resource shortages, hindering its capability to establish and enforce tough cybersecurity rules for water systems.
- A minumum of one estimate suggests the agency spends $7 million on cybersecurity operations within any office of Water. Experts say that’s nowhere near enough.
- The EPA has asked Congress for more in next year’s budget, including $25 million for a fresh grant program to create out and improve water cybersecurity infrastructure.
Yes, but: The EPA can still get creative using its regulatory approach.
- In its August are accountable to Congress, the agency said that it plans to utilize CISA to greatly help water systems mitigate and get over a cyberattack.
- Politico reported last month that the agency is eyeing rules like the TSA guidelines for pipelines, which tend to be more flexible and invite operators to submit their very own plans for addressing common cybersecurity problems.
- Industry groups just like the American Water Works Association have already been pushing the EPA to lean more on CISAs free resources for critical infrastructure providers, including providing cyber hygiene scans.
- A spokesperson for the National Security Council tells Axios the White House and EPA will work with Congress on answers to help better train and staff water security professionals.
What’s next: The EPA continues to be mulling what form broad federal rules for water operators should take, as federal officials work to greatly help low-resourced water operators make cybersecurity an increased priority.
- As Congress returns from summer recess this week and begins budget talks, funding the EPA’s cybersecurity efforts will undoubtedly be one item on the long agenda.