EPA Calls Off Water Surveys To Regulate Sector’s Cybersecurity

Last week, in a letter to state drinking water administrators, the EPA announced that it will no longer require cybersecurity audits of U.S. water utilities through sanitary surveys after litigation from various states and trade associations raised questions about the long-term, legal viability of the initiative to regulate water utilities cybersecurity.

Experts from the water industry who opposed the use of the EPA to be the cybersecurity industry authority doubted whether a sanitary survey was the right tool to enforce cybersecurity mandates, as the process traditionally does not involve security auditors who understand the complex nature of protecting industrial systems.

The EPA said it encourages “all states to voluntarily review public water system cybersecurity programs to ensure that any vulnerabilities are identified and corrected, and assistance is provided to systems that need help.”

Of the existing 16 critical infrastructure sectors, many, like water and wastewater, lack cybersecurity regulations. Using a voluntary approach to regulate cybersecurity was described in the National Cybersecurity Strategy as resulting in “inadequate and inconsistent outcomes.”

Emily Phelps, Director, Cyware had this to say:
   “No industry or sector is immune from cyber threats. Although there are legitimate concerns about the efficacy of sanitary surveys to assess cybersecurity readiness, securing our critical infrastructure must be a top priority. To truly combat rising cyberattacks, funding is necessary. Public-private partnerships can be instrumental in bridging this gap. Leveraging expertise from private cybersecurity firms can alleviate staffing issues and provide the needed technical expertise.

  “It’s crucial to address this across all sectors, ensuring there’s a unified approach to cybersecurity. Sector-specific cybersecurity frameworks, combined with cross-sector collaboration, can result in a stronger and more resilient infrastructure.”

Craig Harber, Security Evangelist: Open Systems follows with this comment:

   “The IT/OT convergence occurring within our industry sectors and the nation’s critical infrastructure creates new opportunities for efficiency and innovation, while it also introduces new cybersecurity challenges that organizations must mitigate.

   “These cybersecurity challenges are not limited to just attacks directed at the OT devices and systems from IT infrastructure. The IT infrastructure is equally as vulnerable to attacks originating on OT devices and systems. Both environments potentially expose new threats and create new attack vectors that, if not addressed, will become high-value targets for exploitation by threat actors.

   “The EPA’s approach to create a “coalition of the willing” whereby they encourage states to voluntarily do the right thing is not likely to succeed. Cybersecurity is not a siloed problem; it is a team sport. States need to develop a collective defense strategy where security teams from each industry sector share threat intelligence and work in collaboration to identify and neutralize threats. This collaborative approach will allow security teams within an industry sector (and possibly amongst industry sectors) to fully leverage the limited resources and skilled analysts available to combat cyber threats that are increasing in velocity and sophistication.”

Public infrastructure needs to be secure. Everyone needs to work together to ensure that infrastructure that we rely on is secure or we will all fail.

Leave a Reply

%d bloggers like this: