Biden Administration Plans to Bolster the Cybersecurity of Water Systems Critical Infrastructure

June 4, 2024

In March 2023, the Environmental Protection Agency issued a rule requiring states to evaluate the cybersecurity of water systems during sanitation surveys. This rule was based on an interpretation of the Safe Drinking Water Act – part of the Biden Administration's broader national cybersecurity strategy, which urges all agencies, including those protecting critical infrastructure like water systems, to establish minimum cybersecurity standards.

However, the EPA’s rule faced legal challenges, leading to a temporary hold by a court in July 2023 after three Republican state attorney generals filed a petition to review it. These petitioners expressed concern that the rule infringed on states' rights and could lead to increased costs for consumers. Consequently, the EPA withdrew the rule last October, with the intention to seek congressional authority to enforce digital safeguards for water and wastewater systems. Currently, the Biden Administration is taking another look at whether the EPA has the authority in the standardization of cybersecurity mandates under which this rule falls.

Protecting Water Systems from Cyber Attacks 

Water and wastewater systems are one of the United States’ 16 critical infrastructure sectors, making them a prime target for malicious actors seeking to disrupt or harm American life. Like transportation, energy, and other critical industries, our country’s 50,000 water systems face both universal and sector-specific threats. Prime among these threats is the systems’ exposure to the public-facing internet. Operational technology such as controllers and remote terminal units are often connected to the internet, making them vulnerable to attack.

Thus, regular cybersecurity assessments are crucial to assess and protect vulnerabilities within operational and information technology systems. Assessments can identify systems that require updates, restrict unauthorized users, and ensure data and systems are backed up. Similarly, it can be challenging to maintain system inventories and authorizations across such a vast network, making the entire process difficult to manage and protect. 

Human error plays a considerable role as well. Users who don’t change default passwords leave systems open to unauthorized access, as was seen last December. A group affiliated with the Iranian government exploited wastewater networks in 16 states by hacking into the systems using a default password of 1111. Employees without proper cybersecurity awareness training can inadvertently become the weakest link in the security chain. These critical sectors, like all organizations, must develop and execute cybersecurity incident response and recovery plans to better mitigate cyber incidents.

The Road Forward

Despite the withdrawal, the EPA continues to advocate for the adoption of cybersecurity best practices in public water systems to ensure safe and reliable drinking water. In a March 2024 letter to U.S. governors, EPA Administrator Michael Regan asked states to voluntarily review cybersecurity programs within water systems, and the EPA is committed to providing technical assistance, including risk assessments, consultations, training, and funding.

The Biden administration has also stated its continued dedication to securing water systems against cyber threats, and this has been an ongoing, multifaceted effort for several years. They plan to pursue alternative legislative options to obtain the necessary authority from Congress for the EPA to mandate cybersecurity practices.

The decision to rescind the rule has been met with mixed reactions. Some state officials and water sector groups, such as the American Water Works Association and National Rural Water Association, welcomed the withdrawal, while also acknowledging the ongoing and real cyber threats to the water sector. These groups are pushing for a co-regulatory model and have proposed legislation to support cybersecurity in rural water systems. This model “would build on a similar process in the electric sector, maintain EPA oversight, ensure the engagement of water sector experts and protect sensitive information. It would also incorporate the public-private collaboration called for in the recent National Cybersecurity Strategy,” making it a viable option to explore for the protection of our water systems.

Protect Cybersecurity of Critical Infrastructure with Capitol Tech

Capitol Technology University offers degree programs in Critical Infrastructure that prepare students to protect the critical sectors of our nation’s infrastructure. Through cybersecurity education and facilities management training, our comprehensive curriculum sets students on the path to success in this dynamic field. For more information, contact our Admissions team or attend an information session.