The water industry wants to write its own cybersecurity rules. Will Biden and Congress go for it?

When Iranian government operatives hacked into water utilities across the U.S. late last year, it was a chilling reminder of how vulnerable the water sector remains — and how tortuous the efforts to regulate its cybersecurity have been.

Amid rising tensions with foreign adversaries — especially China, which has shown an eagerness to breach U.S. critical infrastructure for potential wartime sabotage — water industry officials and cybersecurity experts say it’s vital to shore up the digital defenses of this sprawling, cash-strapped, and largely overlooked community. And now, following the Environmental Protection Agency’s (EPA) failed effort to force states to inspect water systems’ cyber postures, the industry believes it has found a solution: treat water like electricity, with the industry writing rules for itself based on EPA guidance.

That plan appears to have at least some momentum in Congress. A House Republican lawmaker has been working with water executives on a bill to create a water cybersecurity regulation system modeled on the electric industry, according to a draft copy of the bill obtained by Recorded Future News. The bill, whose introduction timeline remains unclear, would allow the EPA to put an industry-run nonprofit group in charge of developing specific requirements for the agency’s general cybersecurity standards.

But many problems loom: Conservative lawmakers are likely to balk at further empowering the EPA, it could take more than a decade to implement all the necessary security measures, and small utilities will be left behind without a massive infusion of financial assistance.

Still, many people who track the water sector’s cyber challenges say the industry’s plan has the best chance of success — and that the country can’t afford a prolonged search for alternatives.

“You have a significant risk environment,” said Mark Montgomery, the senior director of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation. “The status quo is not acceptable.”

Awash in risks

Of all the 16 critical infrastructure sectors that underpin American life, water might be the most difficult to protect from cyber threats.

It’s a massive industry, with more than 150,000 public water systems of varying sizes and technological sophistication, according to the Cybersecurity and Infrastructure Security Agency (CISA). And most of those utilities have very little money, because their funding depends on locally-approved rates that voters are reluctant to raise. Every dollar spent on cybersecurity is a dollar not spent on pipes and treatment chemicals.

This financial pressure has accelerated another trend that has made the water sector difficult to protect: the widespread automation of facility operations by digital, often internet-connected equipment. Pumps and valves now require far fewer employees to manage, saving utilities money. But the decades-long shift toward automation predated the onset of hacks targeting the water sector, so most of these digital systems lack basic cyber protections.

Today, the water sector faces numerous threats, from criminal ransomware gangs to nation-state hacker teams. Criminals go after the utilities’ customer data, while government operatives — like the Chinese hackers behind the Volt Typhoon campaign — look for ways to shut off water supplies in the event of a conflict. Many experts believe it’s only a matter of time before an intruder cripples the delivery of safe, clean water somewhere in the U.S.

“If you lose water, you eventually lose a lot of power generation,” Montgomery said. “You obviously lose public health and safety. And the military will be less effective and our economy will be less productive.”

The industry acknowledges the need for oversight, but trade associations and their supporters say regulations must reflect the water sector’s unique properties, including its size and diversity, the fact that water systems don’t interconnect the way electric utilities do, and the underfunded EPA’s inability to serve as a traditional regulator.

Among policymakers, “there is a recognition that something different is necessary in the water sector,” said Kevin Morley, the manager of federal relations for the American Water Works Association.

Industry holding the pen

To create cyber regulations on its terms, the water industry is working with Rep. Rick Crawford (R-Ark.), who is crafting a bill based on proposals that have circulated over the past few years.

According to the draft text that Crawford’s office provided to Recorded Future News, the bill would empower the EPA to mandate cybersecurity standards for the water sector and to certify a non-government “Water Risk and Resilience Organization” (WRRO) that would craft specific requirements. The EPA would then review the proposed text and either approve it outright or negotiate changes. 

Rep. Rick Crawford at a Congressional Steel Caucus meeting in June. Image: Rep. Rick Crawford

The WRRO, not the EPA, would directly oversee compliance through annual self-attestations and independent audits at least every five years. The organization could punish violators with fines of up to $25,000 per day.

The Crawford bill mirrors the approach used in the electric sector, where the Federal Energy Regulatory Commission (FERC) issues broad requirements and the industry-run North American Electric Reliability Corporation (NERC) crafts the particulars.

The water industry says this approach would be better than traditional EPA regulations because it would ensure that rules are shaped by utility operators’ practical experiences. “We think that this is the most equitable process,” Morley said.

Writing its own rules would help the industry achieve a top priority: standards that apply differently to facilities of different sizes. Large utilities have more complex and vulnerable computer systems than small utilities, some of which don’t even have any sensitive industrial equipment.

Cybersecurity experts who have worked with the electric sector say its model would help ease tensions between the EPA and the water industry. “Having industry involved hand-in-hand with government to co-develop these requirements is a significantly positive thing,” said Marty Edwards, deputy chief technology officer for OT and IoT at the industrial cyber firm Tenable.

Up against the clock

The water industry’s plan faces several significant challenges.

One big problem is the prevalence of industrial equipment that’s too old to support required security upgrades. “For a lot of these utilities, it's going to be a challenge to layer the desired cybersecurity controls over those old technology implementations,” said Andrew Ohrt, the resilience practice lead at the water engineering consultancy West Yost Associates.

Utilities will need to dedicate valuable funds and employee time to lengthy, complicated planning processes to replace that equipment, Ohrt said.

Another complication is the need for a stronger, more cyber-savvy EPA. At a time when Republicans almost uniformly oppose the EPA’s every move, it’s unclear whether the GOP-controlled House will even hold a vote on a bill giving the agency new regulatory authority. And even Crawford’s proposal doesn’t give the EPA any money to boost its ability to support the water sector. (The bill would give the WRRO itself $10 million over the next two fiscal years.)

Then there’s the time problem. It took NERC more than a decade to settle on its final suite of Critical Infrastructure Protection (CIP) requirements for electric utilities. “You don't recreate NERC CIP in a year,” said Robert M. Lee, the chief executive of industrial cyber firm Dragos. Ohrt said the process of retiring outdated industrial equipment alone could take “10 to 15 years for a lot of utilities.”

Morley believes the water industry could implement baseline requirements much more quickly by adapting best practices from other sectors. But even basic rules for just the most critical water facilities — like those that supply military bases and major cities — would take three to five years, Lee said.

Even odds of passage

For now, all eyes are on Congress as the water industry and cyber experts await Crawford’s bill. His spokesperson Sara Robertson said there’s no timeline for introducing the legislation. Proponents are also awaiting a signal from the Biden administration, which has championed creative approaches to cybersecurity regulation for critical infrastructure, about whether it supports the industry’s non-traditional approach. The White House did not respond to a request for comment, while the EPA declined to comment.

“This is the only model that can probably pass,” Montgomery said. “And even then, I would say it’s as likely to pass as not.”

With foreign government hackers on the prowl for vulnerable infrastructure, Edwards said “it’s critically important” that lawmakers enact rules for the water sector. “We should have done this a decade ago,” he added.

Lee bemoaned the ease with which a relatively novice group of Iranian hackers was able to penetrate water utilities through industrial devices that were still using the default password “1111.”

“Non-sophisticated actors could be putting people's lives in danger … [because of] things we know exactly how to fix,” Lee said. “I find that to be unacceptable.”