Administration cybersecurity plan draws scrutiny from industry associations
Following some high-profile water sector cybersecurity incidents, pandemic upheaval, and given recent geopolitical tensions, it is no secret that our national infrastructure’s cybersecurity measures require an overhaul.
From an outsider’s perspective, myriad national water sector associations have been functioning as a kind of assembly of workers; each has its own taskings to govern, but they gather departmentally to discuss strategy and opinion for the group’s good. They may not always agree, but over time they have settled into their roles and routines and have grown accustomed to working together as bosses come and go. Then, the Biden Administration is like a new boss who is suddenly much more concerned with the work of which the department’s grown protective.
The water sector has seen that this new boss has already visited and made changes to fellow departments — electric and natural gas — and sometime around October of 2021, they arrived on the water sector’s floor.
However, while the federal government has some existing authority in the electric and natural gas sectors, it does not have much in the water sector, making for an interesting push and pull. As explained in a July 28, 2021, Biden Administration Fact Sheet, federal cybersecurity regulation in the U.S. is sectoral, and the government is considering new cybersecurity approaches, both voluntary and mandatory.
A Seat at the Table
When it comes to the water sector, it seems that the new boss has picked certain bedfellows to collaborate with — EPA, Cybersecurity and Infrastructure Security Agency (CISA), the Water Sector Coordinating Council (WSCC) — and has seemingly chosen not to invite others, such as American Water Works Association (AWWA), Water Environment Federation (WEF), Association of State Drinking Water Administartors (ASDWA), National Association of Water Companies (NAWC), and National Rural Water Association (NRWA) to the party.
These left-out associations have a lot to say about the Biden Administration plans of which they have caught wind. The plans impact the work they have lovingly tended to all these years, and they are concerned. So they convene and write letter after letter after letter to the boss’ party planner, The Honorable Radhika Fox, asking to be invited to the table to discuss their concerns, but seemingly get little to no reply.
Perhaps the ASDWA is feeling slighted. Cybersecurity is not the only Biden Administration/EPA initiative it has disagreed with. In a February 15, 2022 letter to the EPA, ASDWA pointed out multiple perceived critical implementation issues regarding the Justice40 Initiative that has been in place since December 2021.
Is this an accurate impression of the situation? It is hard to say. When your boss is the federal government, it is understandably wise to err on the side of discretion.
Editor’s Note: Several attempts were made to schedule interviews with industry representatives for this article, and one-by-one sources politely declined, citing the fluid and sensitive nature of the work.
Points of Concern for Water Cybersecurity Rules
According to a Wiley Rein LLP article, while the Biden Administration’s January 27, 2022, statement regarding the cybersecurity expansion to the water sector embraces a public-private partnership model, “myriad developments in the last year suggest that this collaborative bedrock of federal cyber policy is eroding.”
In December 2021, the ASDWA declared it does not believe an “agency action to establish cybersecurity requirements through an interpretive rule” to be legally justifiable. In the January 2022 release regarding the expansion to the water sector, the Biden Administration admitted that “the federal government has limited authorities to set cybersecurity baselines for critical infrastructure and managing this risk requires partnership with the private sector and municipal owners and operators of that infrastructure.”
The afore-mentioned article indicates that it may be wise of the water sector’s private operators to resist Federal intervention altogether.
“Government threat hunting and network monitoring raise practical and principled concerns about government access to private data, as shown in past civil liberties objections to the Cybersecurity and Information Sharing Act of 2015,” the Wiley Rein LLP article notes. “Government surveillance of private networks is complex, and private companies should proceed with caution. Any monitoring or reporting partnerships between government and critical infrastructure operators should consider various protections.”
Indeed, even the ASDWA letters repeatedly implied concern with the information sharing, suggesting that if a state were to disclose utility vulnerabilities collected through sanitary surveys, “the information would be very valuable to hackers looking for an easy target, opening the utility up to ransomware attacks or worse.”
7 Cyber Security Goals of the Administration
- Remove barriers to threat information sharing between the government and the private sector.
- Modernize and implement stronger cybersecurity standards in the federal government.
- Improve software supply chain security.
- Establish a cybersecurity safety review board.
- Create a standard playbook for responding to cyber incidents.
- Improve detection of cybersecurity incidents on federal government networks.
- Improve investigative and remediation capabilities.
Timeline of Events to Date
A timeline recap of the situation to date follows:
April 20, 2021: The Biden Administration issued a statement announcing that the Industrial Control System Cybersecurity (ICS) Initiative began with an Electricity Subsector pilot, as the Department of Energy (DOE) unveiled an aggressive 100-day plan to improve National cybersecurity infrastructure.
May 12, 2021: President Biden signs an executive order charting a new course to improve the nation’s cybersecurity and to protect federal government networks. The fact sheet calls the executive order the “first of many ambitious steps the Administration is taking to modernize national cyber defenses.” It also acknowledges that “much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their determination regarding cybersecurity investments.” See the sidebar for seven goals the administration has for this effort.
January 13, 2022: Readout of White House Meeting on Software Security: The White House convened government and private sector stakeholders to discuss initiatives to improve the security of open-source software ubiquitous across every sector. While meeting participants “reflect some but not all of the largest public and private users and maintainers of open source software and Departments and Agencies which will carry this work forward,” they did not appear to include representatives from the water sector.
January 27, 2022: The Biden Administration announced the expansion of the ICS Cybersecurity Initiative to the water sector. The 100-day Water Sector Action plan aims to improve the sector’s cybersecurity by early May 2022 and was developed in close partnership with the EPA, the CISA, and the WSCC and encourages water utilities to participate in ICS information sharing and monitoring pilot program. In addition, it aims to work with private sector partners to develop data-sharing protocols that help water systems owners and operators use technologies to monitor infrastructure and glean situational awareness.
February 9, 2022: ASDWA letter to the EPA requested regular communications with EPA leadership, warned that the current iteration of the EPA’s plan won’t be successful, and asked that they collaborate in finding a sustainable solution. ASDWA feels the proposed cybersecurity program needs to be adapted. The cybersecurity onus should be on federal subject matter experts (SMEs) instead of primacy agency inspectors, it insists, and they should provide additional guidance on next steps following assessments. While expressing appreciation to the EPA for their efforts to improve sector cybersecurity, ASDWA appears eager to proactively supply them with alternate options. ASDWA asks for more-cohesive guidance to be provided before states develop disjointed cybersecurity approaches, further aggravating the issue. They also ask that the EPA consider closer coordination with the GCC and WSCC.
Early February 2022: While not related to the cybersecurity efforts per se, it’s clear that the Biden Administration is focused on the water sector as Vice President Kamala Harris attended a roundtable discussion alongside EPA Administrator Michael Regan and local government representatives to celebrate the success of Newark, New Jersey’s lead pipeline replacement project, marking the start of what she said was a “roadshow around the country” to talk about the importance of removing lead pipes. A week later, President Biden gave remarks on water sector infrastructure improvements from Cleveland, Ohio.
April 2022: According to Unified Agenda (RIN: 2040-AG20), the EPA intends to move forward with the requirements for sanitary surveys by primacy agencies to include cybersecurity.
Early May 2022: The 100-day initiative, especially ambitious in the water and wastewater sectors, which are more heavily governed by private sector entities, will be up for evaluation.
August 2022: President Biden is scheduled to meet with the private sector and education leaders to discuss the whole-of-nation effort needed to address cybersecurity threats.
What Happens Next?
Is the water sector stubbornly resisting noble Biden Administration efforts to better American infrastructure, or is the Biden Administration angling to get a foot in the door of an element of the water industry it should not be regulating? Or at least, is the Biden Administration stubbornly refusing advice from water associations who adamantly insist that their contributions, thus far ignored, are critical to the initiative’s success?
It is hard to say which viewpoint is correct at this point, and where there are multiple perspectives, the truth usually lies somewhere between. The author doesn’t purport to know the reasons why the Biden Administration may have chosen to keep an inner circle that excludes valuable players. However, the situation is developing rapidly, and 100 days isn’t long; although the implications will be longer-lasting, we won’t need to wait long to see how the water sector initiative plays out.