From The Editor | November 3, 2023

Free Will And Cybersecurity


By Kevin Westerling,

Science technology questions GettyImages-1148438446

Even with federal regulations mandating action for municipal water and wastewater systems unfinished, the commitment to protect the public should compel utilities to improve cybersecurity.

Most utilities probably have a love/hate relationship with regulations. As providers of life’s most essential resource and protectors of our environment, utilities embrace the challenge of meeting, often exceeding, the standards dictated by state and federal regulators. This is true when the regulations align with the mission of utilities, to best serve the public and safeguard our nation’s waters, but certain mandates are not so warmly embraced.

If a rule is not well constructed, overly onerous, or lacks sufficient basis, it can do more harm than good, particularly as utilities are often already stretched thin with regard to funding and labor, and hence their ability to comply. This may be the case with the cybersecurity rule that didn’t happen — thankfully, according to American Water Works Association (AWWA) and the National Rural Water Association (NRWA).

Those groups agree, as do most utilities and yours truly, that cybersecurity is a critical need for municipal water and wastewater operations. However, I trust AWWA and NRWA when they say that the U.S. EPA’s would-be Cybersecurity Rule was bad for the industry. Therefore, they sued the EPA, joined by the states of Missouri, Arkansas, and Iowa. Instead of a court determination, the EPA rescinded the interpretive memorandum issued on March 3, 2023, Addressing Public Water System Cybersecurity in Sanitary Surveys or an Alternate Process, on Oct. 11.

At issue for AWWA and NRWA was that “...the rule was not consistent with the process Congress put in place to address cybersecurity concerns for water systems under the Safe Drinking Water Act or the American Water Infrastructure Act and was not issued with proper public engagement required by the Administrative Procedures Act,” according to a joint statement.

“In addition to concerns about the legal process and legality of the rule ... the rule would create additional cybersecurity vulnerabilities for utilities, as sanitary surveys required in the rule have public notification requirements. Finally, the rule would have required cybersecurity reviews by state regulatory agencies that lack expertise and resources for cybersecurity oversight,” the groups stated.

Until something new and better emerges — AWWA CEO David LaFrance suggested “a co-regulatory model that would engage utilities in developing cybersecurity requirements with oversight from EPA” — there are measures utilities can take to protect themselves.

Here are five steps to become more cyber-secure, as recommended by the U.S. Department of Defense Cybersecurity Maturity Model Certification (CMMC) 2.0 framework and summarized by Black & Veatch in their e-book, Pathway to Federal Cybersecurity Compliance.1

  1. Educate people on cyber threats.
    Most cyber-incidents start because of user error. Educate people about the importance of setting strong passwords, recognizing malicious links, and installing the latest security patches.
  1. Implement access controls.
    Limit information systems access to authorized users and the specific actions that they need to perform.
  1. Authenticate users.
    Use multi-factor authentication tools to verify the identities of users, processes, and devices.
  1. Monitor your physical space.
    Escort visitors and monitor visitor activity, maintain audit logs, and manage physical devices like USB keys.
  1. Update security protections.
    Automate testing and application of the latest security patches when new releases are available. Always doublecheck to make sure they are coming from a trusted source.

These are simple steps which streamline National Institute of Standards and Technology (NIST) guidelines for cybersecurity; whereas future regulation(s) are bound to require more specific actions, investment, and attention. For now, it’s the least we can do to keep our critical water and wastewater infrastructure safe from cyber threats and criminals, but it remains a choice. Or you can become even more resilient by incorporating the cybersecurity tools and guidance offered by AWWA and NRWA, which exemplify their commitment to the cause despite having issue with the previously proposed federal mandates.

Without the forced hand, however, utilities are free to make their own cybersecurity decisions. Choose wisely.