Water sector leaders seek increased EPA cybersecurity collaboration and guidance

The interior of the Hyperion Water Reclamation Plant in Playa Del Rey, Calif.

The interior of the Hyperion Water Reclamation Plant in Playa Del Rey, Calif. Brittany Murray/MediaNews Group/Long Beach Press-Telegram via Getty Images

Experts from the water and wastewater sectors called on the Environmental Protection Agency to take action on recommendations from the Cyberspace Solarium Commission to bolster cybersecurity for America's water infrastructure.

Water sector leaders urged the Environmental Protection Agency to ramp up its oversight of cybersecurity standards as the sector risk management agency on Wednesday while describing nationwide water and wastewater systems as America's "weakest link" when it comes to critical infrastructure. 

The EPA only has an estimated $7 million in its annual budget dedicated to cybersecurity operations within the agency's Office of Water, according to Mark Montgomery, executive director of the Cyberspace Solarium Commission and senior director of the Center on Cyber and Technology Innovation at the Foundation for the Defense of Democracies. In its final report, the Solarium Commission recommended the EPA include at least $45 million in its annual budget to enhance water cybersecurity standards. 

The agency is seeking $4 billion for fiscal year 2023 to improve the nation's water infrastructure, and cybersecurity is featured in that funding request. Last month, EPA Administrator Michael Regan told Congress the budget request includes $50 million to support resiliency and sustainability initiatives throughout the water sector, $25 million to support water systems as they improve cyber capabilities and $35 million to provide water and wastewater systems with technical assistance.

Cybersecurity and Infrastructure Security Agency Director Jen Easterly has also indicated her agency will roll out new directives for the water sector as required by the Infrastructure Investment and Jobs Act, which includes $48.4 billion over five years for drinking water and wastewater spending at EPA.

The FDD released a report last year proposing a co-regulatory model for the water sector, in which the EPA would partner with industry stakeholders and water infrastructure operators to increase collaboration around implementing cybersecurity standards across the nation's nearly 52,000 drinking water and 16,000 wastewater systems.

"Our vision here is a sector-led organization," Montgomery said at an FDD event on Wednesday about the organization's co-regulatory model proposal. "That's because at this time, without getting to all the nitty-gritty, the EPA's water cybersecurity team, you can count the total number of people on one hand."

The proposed "Water Risk and Resilience" organization would reflect the organizational structure of the Federal Electricity Regulatory Commission's electricity sector collaboration with the North American Electric Reliability Corporation. 

"We came to the conclusion that this was not something that could be done strictly with the federal family or strictly within the sector," Kevin Morley, manager of federal relations for the American Water Works Association, said about the co-regulatory model proposal. "We think there's a lot of value in that shared burden ... but unlike the electric sector we're not starting with a blank sheet of paper. There's a lot of knowledge that has been developed on what best practices would be. We think we would be in a position to move rather expediently to establish some baseline minimum cybersecurity practices."

Rep. Jim Langevin (D-R.I.), chair of the House Armed Services subcommittee on cyber and a member of the Cyberspace Solarium Commission, said on Wednesday that the "status quo simply cannot continue" amid increased threats targeting U.S. water systems.