Who should be in charge of protecting our water systems from cyber threats?

Who should ensure our critical water infrastructure is protected from cyberattacks? The water systems themselves? Or the Environmental Protection Agency?

A hearing last week before the House Energy and Commerce subcommittee showed there is little agreement on what role the federal government should play, if any. But the hearing did highlight the ongoing vulnerabilities in the sector.

It followed a November attack on the Municipal Water Authority of Aliquippa in Pennsylvania, which had its water management system breached by the Iran-linked Cyber Av3ngers gang. The attack prompted calls for a federal investigation into the attack, as lawmakers said Congress must act to bolster cybersecurity protections for a sector that is often underfunded, understaffed and wrestling with aging technology. 

On Friday, the Treasury Department sanctioned several Iranian cyber officials tied to the water system hacks.

“Thankfully, the attack did not interrupt my constituents’ water service or compromise their personal information, but such risks are obvious,” Democratic Rep. Chris Deluzio of Pennsylvania wrote in a recent letter. “Any attack on our nation’s critical infrastructure is of significant concern, and Congress must work in a bipartisan way to ensure water systems and others have the necessary protections.”

During the hearing, there were several references to the EPA’s now withdrawn proposal to include cybersecurity audit requirements for water utilities as part of their sanitary surveys, which review a public water system every three years to assess its ability to provide safe drinking water.

The EPA withdrew the memo amid legal challenges from Arkansas, Iowa and Missouri, which had argued that beefing up cybersecurity requirements would be challenging for financially-strapped water systems, and they would in turn end up passing increased costs to consumers. Opponents also argued that water systems lacked the staffing and expertise to carry out more stringent cybersecurity assessments, and said that the results could be exposed.

Currently, drinking water systems that serve more than 3,330 people must review every five years their vulnerability to attacks and incorporate those findings into their emergency response plans under a section of the 2018 America's Water Infrastructure Act.

Committee Chair Cathy McMorris Rodgers said the existing arrangement “ensures water facility operators are better prepared to mitigate threats, while also protecting them from cumbersome and ill-suited regulations that could hinder their ability to quickly respond when threats do arise.”

Water industry representatives testified that were Congress to mandate a larger role for the EPA in protecting water systems’ cybersecurity, there would need to be much greater coordination and collaboration with the state agencies that regulate water systems. 

Cathy Tucker-Vogel, past president of the Association of State Drinking Water Administrators and public water supply section chief at the Kansas Department of Health and Environment, said a sector-wide response to cybersecurity would be “impossible” without that collaboration.

“Any national approaches to cybersecurity must harmonize with existing state approaches, to avoid duplication of effort or confusion, and allow sufficient flexibility to enable primacy agencies to engage effectively with [public water systems],” Tucker-Vogel continued in her written testimony.

Water systems’ approach to cybersecurity varies depending on the amount of money and staff they can dedicate to the threat. A 2021 survey conducted by the Water Sector Coordinating Council found that nearly 60% of respondents address cybersecurity in their overall risk assessments, but less than half—38%—have identified their networked assets and 22% are working to identify them.

Scott Dewhirst, superintendent of Tacoma Water in Washington state and a board member at the Association of Metropolitan Water Agencies, testified that utilities must take better advantage of existing resources and recommended participation in the Water Information Sharing and Analysis Center, or WaterISAC, to encourage utilities to collaborate and share information on threats. 

Dewhirst also urged incentivizing the adoption of best practice and funding for the EPA’s cyber resilience program that was authorized in the 2021 bipartisan infrastructure law. “We have an opportunity to make progress across the sector,” Dewhirst said in his written testimony.

Democrats on the subcommittee reiterated their desire to see the EPA play a bigger role in helping water systems’ cybersecurity. Committee Ranking Member Frank Pallone said lawmakers must help ensure the agency has “the necessary tools and can leverage sector-specific expertise and institutional knowledge to adequately prevent and respond to cybersecurity concerns.” 

With the support of elected officials, the EPA can provide more robust cyber defenses in partnership with other federal agencies and the private sector, he said.

“EPA has the institutional knowledge and expertise to engage with water systems and other federal partners to address complex, sector-specific threats,” Pallone said. “Currently, EPA provides technical assistance, education and resources to help water systems bolster cyber protections.”

Republican subcommittee members were unconvinced about letting the EPA play a bigger role in cybersecurity. Chair Buddy Carter of Georgia said the sector is already a “willing partner” and keen to work jointly with the EPA and the Department of Homeland Security in an “environment of collaboration.”

“Water systems have an inherent interest in defending themselves from cyber threats and protecting the safety of the water for their customers,” Carter said in his opening statement. “They do not need Washington agencies to remind them of this. What they need is the technical knowledge and resources that help them protect themselves."