What Does More Look Like?

Abstract

Current cybersecurity governance in the water sector is based on a matrix of mandatory and voluntary standards, guidance, and associated legal principles. To date, market and regulatory signals have resulted in an inconsistent application of cybersecurity fundamentals. Technologies that operate critical infrastructure often were developed and installed before the reality of cyber threats created a demand on initial system design. Today, we know the threat posed by cyber bad actors is real and growing. Because the sector collectively is faced with a complex set of information systems and hardware that must operate 24–7 to ensure public health and safety, there is an opportunity and a need to improve the water sector's cybersecurity posture, which will require reconsideration of the sector's current approach to oversight and accountability. Given the number of high-profile cyber incidents that have affected multiple sectors in the past year, Congress has taken action to create mandatory cyber-incident reporting requirements for critical infrastructure systems—this includes water utilities. The Department of Homeland Security will develop the reporting requirements, including how information will be shared with a sector-specific risk management agency; this is the US Environmental Protection Agency (USEPA) for water systems. These same events have led to multiple directives from the White House for enhancing cybersecurity within the US government and the nation's critical infrastructure systems. As part of a general call for implementing best practices, the president and National Security Council mentioned water specifically as one of four sectors in need of focused attention on securing industrial controls systems. The congressional chartered bipartisan Cyberspace Solarium Commission (Solarium) has also focused on the water sector and will be issuing recommendations for improving cybersecurity this fall. It is anticipated that the Solarium report will identify options that Congress may take to stimulate the implementation of cybersecurity best practices, including requiring greater support from USEPA, building capacity, and providing directed funding for implementation of cybersecurity. There is intense federal attention on what various sectors are doing to manage the risk from cyber threats. This raises questions on what more should be done to ensure that water systems are taking appropriate actions to implement cybersecurity controls. We are therefore at a rare inflection point when it comes to informing a new oversight structure for cybersecurity in the water sector. One option is maintaining the voluntary use of existing guidance and standards. That was the approach taken by the pipeline sector until the Colonial Pipeline incident led to rapid implementation of highly prescriptive mandates that are not risk based. Another approach includes USEPA's planned action to incorporate cybersecurity into sanitary surveys. Conceptually, we can agree that cybersecurity is important to operational integrity; however, this state-run program does not have the resources nor cybersecurity expertise to implement appropriately. In April, AWWA's Water Utility Council commissioned a report to examine an approach that puts the water sector in a lead role, following the model used successfully in the electric sector. In particular, the report analyzes the creation of a sector-led process in close partnership with USEPA. This co-regulatory approach would be centered on a new entity, the Water Risk and Resilience Organization (WRRO), that would develop enforceable cyber standards and provide third-party audits. The diversity in utility size would require a tiered level of engagement, most likely starting with the largest drinking water and wastewater systems. Federal oversight would come from USEPA, with support from other federal agencies in the form of reviewing and approving standards developed by the WRRO. This approach provides a process that is capable of quickly adapting to the needs of the sector while ensuring that utility-based expertise guides standard development. In this case, the water sector is the driver rather a passenger. The only remaining question is if the sector is willing to take that responsibility and keep a hand on the wheel of governance or let go and hope for the best. Kevin M. Morley is manager of federal relations at the AWWA Government Affairs Office in Washington, D.C. He can be reached at kmorley@awwa.org. Paul N. Stockton is president of Paul N. Stockton LLC in Sante Fe, N.M.