As the recent e. Coli scare in Portland, Ore., indicates, access to clean drinking water is a basic necessity for avoiding disease and allowing society to function unhindered by the need to, say, boil one’s bathwater for at least one minute every evening. The US Environmental Protection Agency (EPA) is now striving to implement the Cybersecurity Framework as part of a public-private effort to lock down the systems in the water and wastewater systems sector.
The stakes are of course massive: the sector comprises approximately 155,000 public water systems that serve drinking water to more than 300 million people, and approximately 16,500 publicly owned treatment works that treat wastewater from more than 227 million people and certain industrial facilities. The EPA is tasked with ensuring these works provide drinking water that meets all applicable state and federal regulations in sufficient quantity to serve all customers with an uninterrupted supply and at sufficient pressures and flows for fire suppression; and with making sure that wastewater is transported to a facility where it is treated to meet all local, state and federal standards prior to discharge to the environment.
For decades, water and wastewater facilities have used industrial control systems and electronic networks to varying degrees to monitor and control surface-water intakes, groundwater wells, sewage collection, water and sewage treatment, distribution systems, effluent discharge and other processes. That in turn makes for a large attack surface for cyber-terrorists.
Bad actors could disrupt the water supply in many ways, including chemical overdosing or under-dosing, disabling water distribution, discharging untreated sewage and blocking or sending false data to operators. On a large scale, the effects could be worrying to the public health. And yet, much critical infrastructure runs on SCADA and industrial control systems that are aging and out-of-date, and rife with vulnerabilities.
To address the issue as per President Obama’s Executive Order in February 2013, the EPA has opted against further regulation and instead has recommended a voluntary partnership model, including implementation of the Cybersecurity Framework.
The Cybersecurity Framework has been developed by NIST, and consists of standards, guidelines and best practices to promote the protection of critical infrastructure. The effort aims to outline a prioritized, flexible, repeatable and cost-effective approach to help owners and operators of critical infrastructure manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.
“The National Infrastructure Protection Plan promotes partnerships as a key mechanism for critical infrastructure risk management, including Sector Coordinating Councils and Government Coordinating Councils,” said Peter Grevatt, director at the EPA’s Office of Ground Water and Drinking Water, in a letter to the White House. “Recognizing the potential for a cyber-attack to disrupt critical functions at water and wastewater facilities, the Water Sector Coordinating Council, Water Government Coordinating Council and sector partners have taken important steps to reduce cybersecurity risks.”
The latest of these steps is a move to convene the CIPAC Water Sector Cybersecurity Strategy Workgroup to develop a strategy to promote and facilitate use of the Cybersecurity Framework. The workgroup has three main objectives: to recommend approaches to outreach and training that will promote use of the Cybersecurity Framework by all segments of the water and wastewater systems sector; to assess gaps, if any, in available guidance, tools and resources for application of the Cybersecurity Framework; and to identify measures of success that can be tracked and reported by federal agencies to indicate the extent of use of the Cybersecurity Framework in the sector.
The agency left the door open to dynamic changes in strategy, however.
“The recommendations from this workgroup will guide EPA's work in partnership with the Water and Wastewater Systems sector to increase the resilience of water and wastewater facilities to cyber-attacks,” said Grevatt. “If the voluntary partnership model is not successful in achieving widespread implementation of the Cybersecurity Framework or if warranted by a changing cybersecurity risk profile, the EPA can revisit the option of using general statutory authority to regulate cybersecurity in the water and wastewater systems sector.”
Recent analyses on resilience factors at water and wastewater facilities found that there are some bright spots in the system already. For instance, should cyber-dependent systems be compromised through a cyber-attack, many water and wastewater facilities have the capability to employ manual overrides for critical systems.
“Manual overrides, storage in distribution systems and the ability to isolate systems from the Internet may allow water and wastewater facilities to maintain operation during a cyber-attack,” Greaves said. “Water and wastewater facilities are generally stand-alone systems with little to no cyber-connections between companies or municipalities. Further, because water and wastewater facilities have been custom designed over time, there are few common processes or software systems by which a cybersecurity incident could spread to multiple facilities.”
Also, a cyber-attack on a water or wastewater facility would not result in off-site release of on-site chemicals because this aspect of the system cannot be remotely controlled. Also, the design of the control system prevents operators from actions that could jeopardize containment.