Mark Montgomery of the Foundation for Defense of Democracies sees the Environmental Protection Agency’s move to withdraw its cyber requirements for public water systems as a “wise decision,” while emphasizing the risks that sector continues to face from cyber attacks.
EPA’s March memorandum setting the requirements was “clearly” having “legal issues,” Montgomery said. “Furthermore, I think this memorandum was not the right way to attack this challenging issue. Water is among our most cyber insecure critical infrastructures, and because of its integration into other sectors it places national security, economic productivity and public health and safety at risk.”
EPA issued an “interpretative” memorandum in March that set up requirements for drinking water systems to consider cybersecurity as part of the sanitary survey process. The memorandum was challenged in court by three states and two trade groups and subsequently withdrawn by EPA on Thursday.
The agency said in a Thursday statement, “While the memorandum is being withdrawn due to litigation, improving cybersecurity across the water sector remains one of EPA’s highest priorities.”
EPA emphasized how it will continue to work with states, tribes and territories “to protect the public from the threats created by cybersecurity incidents and support the efforts of water systems to adopt cybersecurity best practices.” EPA said, “The Agency will continue to explore opportunities to lower cybersecurity risk for public water systems.”
Montgomery commented, “The water sector is at risk because it is a highly distributed infrastructure with between 55,000 and 125,000 entities depending how you count them, that is poorly resourced, and with minimal cybersecurity support from the EPA. No one - the feds, the states, or the utilities - is in a position to regulate us out of this mire.”
FDD published a report in 2021 highlighting the challenges that the water sector faces and cyber recommendations for government and industry.
The latest iteration of the Cyberspace Solarium Commission put out a set of six legislative proposals in 2022 including one with language to create an entity “charged with developing mandatory cybersecurity requirements for the water sector with EPA oversight.”
FDD is an independent think tank that took on stewardship of the Cyberspace Solarium Commission’s work products after the body’s federal charter expired. Montgomery leads CSC 2.0 and is senior director of FDD’s Center on Cyber and Technology Innovation.
Montgomery said, “We have consistently recommended that this infrastructure needs a collaborative response, with a risk and resilience organization that helps assess and assist utilities, guided by EPA standards. This entity can also assist utilities in accessing grants and low cost solutions to address the cybersecurity discrepancies identified.”
Montgomery said, “Hopefully, this setback will lead EPA to look at innovative solutions like this, I suspect Congress will do the same.”
President Biden’s national cyber strategy emphasizes the need to establish cyber regulations to secure critical infrastructure and says where there are gaps in statutory authorities, “the Administration will work with Congress to close them.”
In response, Montgomery said, “I think every critical infrastructure has to be looked at individually to determine the right balance between regulation, incentivization and collaboration. Clearly, financial services is under constant criminal threat, relies heavily on high speed, can't fail data flows, and has resources to address discrepancies so it makes sense it's highly regulated.”
“Other infrastructures, like water, share few of these characteristics. So you need different answers for different infrastructures,” Montgomery said.
In response to the memo, a senior administration official said, “Since day one, the President has been laser focused on strengthening the cybersecurity of the critical infrastructure on which Americans rely every day. This underpins the President’s National Cybersecurity Strategy -- to apply various authorities in novel ways to address cyber risks and to establish consistent minimum cybersecurity requirements. And the President has delivered.”
The official said, “From issuing emergency directives in covering aviation, rail, and pipelines to better securing medical devices and common household technology, the Biden-Harris Administration has taken aggressive action to lock our digital doors. We will continue to use all the tools and resources needed to secure the water sector -- and all sectors - to ensure the continuity of services which Americans expect.” -- Sara Friedman (sfriedman@iwpnews.com)