A major water sector group is promoting the creation of a new industry-led body to develop and oversee mandatory cybersecurity standards, with the U.S. Environmental Protection Agency maintaining its role as the principal risk management agency backed by technical support from CISA.
“Because the sector collectively is faced with a complex set of information systems and hardware that must operate 24--7 to ensure public health and safety, there is an opportunity and a need to improve the water sector's cybersecurity posture, which will require reconsideration of the sector's current approach to oversight and accountability,” Kevin Morley of the American Water Works Association and consultant Paul Stockton wrote in an AWWA Journal article last week.
They noted that President Biden, the National Security Council and the Cyberspace Solarium Commission have all recently focused on ensuring the security of water and the sector’s industrial control systems, saying, “We are therefore at a rare inflection point when it comes to informing a new oversight structure for cybersecurity in the water sector.” The Solarium Commission is working on a paper addressing water issues that is expected later this year.
The article explains:
In April, AWWA's Water Utility Council commissioned a report to examine an approach that puts the water sector in a lead role, following the model used successfully in the electric sector. In particular, the report analyzes the creation of a sector-led process in close partnership with USEPA. This co-regulatory approach would be centered on a new entity, the Water Risk and Resilience Organization (WRRO), that would develop enforceable cyber standards and provide third-party audits. The diversity in utility size would require a tiered level of engagement, most likely starting with the largest drinking water and wastewater systems. Federal oversight would come from USEPA, with support from other federal agencies in the form of reviewing and approving standards developed by the WRRO. This approach provides a process that is capable of quickly adapting to the needs of the sector while ensuring that utility-based expertise guides standard development. In this case, the water sector is the driver rather a passenger. The only remaining question is if the sector is willing to take that responsibility and keep a hand on the wheel of governance or let go and hope for the best.
The article points to a paper by Stockton published in August that notes in the bulk power system, “electric utilities and an industry organization --the North American Electric Reliability Corporation (NERC) -- work to develop standards that are vetted and then either approved or, on rare occasions, rejected by the Federal Electricity Regulatory Commission (FERC) … The proven value of this approach: if the sector helps draft the standards that they know will be enforced against them, they will be supportive of the enforcement system that ‘holds the stick’ over them to create accountability. Put a different way: because they are in on the takeoff, they are in on the landing. This approach is also structured to encourage a high degree of shared action to support systems with compliance challenges.”
It calls for a “co-regulatory approach” through establishment of “a Water Risk & Resilience Organization (WRRO) to lead the development of mandatory standards, with strong participation by water sector representatives.”
It says Congress could grant EPA authority:
- Requiring the WRRO to develop minimum cybersecurity performance standards.
- Supporting the WRRO in drafting those standards with technical expertise, specialized threat information, and other types of assistance with the support of the Department of Homeland Security (DHS), the US intelligence community, and other Federal agencies.
- Improving cyber threat information and analysis.
- Reviewing and either approving or rejecting the standards proposed by the WRRO.
- Conducting enforcement-related activities, including the establishment of penalty guidelines.
The report examines other options, including creation of a federal commission with oversight authority, but notes, “Rather than create a FERC-like entity from scratch, it would be more efficient and effective to build on USEPA’s existing expertise and strong collaborative relationships with the water sector.” -- Charlie Mitchell (cmitchell@iwpnews.com)