Is EPA policing enough for cyber attacks on water systems?


More and more of the nation’s drinking water systems are becoming automated. That means software. And software means cybersecurity attacks. Cybersecurity attacks mean anything could come out of people’s faucets. The Environmental Protection Agency is the federal lead on cyber. And the Government Accountability Office recommends it do a few things. For more, the EPA’s director of information technology and cybersecurity, Dave Hinchman, joins the Federal Drive with Tom Temin.

Interview transcript: 

Tom Temin  Dave, good to have you back.

Dave Hinchman  Tom, good to see you again. Thanks for having me in today.

Tom Temin  All right, you looked at EPA in terms of its being the sector risk management agency, and I guess it’s one of numerous ones that correspond to different public infrastructure sectors and components. Good way to put it?

Dave Hinchman  Absolutely, I think that’s a great way to describe it. There are 16 critical infrastructure sectors in the U.S. Each of those sectors has a lead agency. Sometimes it’s DHS and CISA. Sometimes CISA shares that responsibility, and other times you have a solo agency like EPA, which is in charge of the water and wastewater sector.

Tom Temin  All right, and water and wastewater systems are different, I think, than other utilities, other pieces of infrastructure in how scattered and localized they are. It could be a single town or municipality or tiny village running its own water system all the way to regional authorities and so forth that share resources. So, it’s kind of a scattered industry, isn’t it?

Dave Hinchman  Absolutely, and I think just to give some numbers for your listeners, there are over 153,000 public water systems in the U.S., as well as over 16,000 wastewater treatment facilities. So, all of these sectors increasingly interconnected, as you pointed out, it’s what we do with technology. It allows automation, allows remote operation of parts of your water system, and so all of those interactivities and those electronic connections all present vulnerabilities that someone with bad intentions might try to get access to.

Tom Temin  In essence, then it is a issue of operational technology, right, as they call it, OT, somehow, to their management systems, to the IT, and that’s the classic problem.

Dave Hinchman  Yeah. And I think the bigger the system, the more that’s an issue. If you think of some of the big, huge, sprawling water treatment plants that we might know of, those far parts of the system are all operated remotely from a central control room, and the more you get networked, as you pointed out, networking means you need to worry about cybersecurity, because bad people will try to get in to those systems to get access.

Tom Temin  And certain industries tend to have better cybersecurity postures than others. The financial industry, even though it gets hacked from time to time, you know, is pretty good at protecting its systems on the whole. Health care may be somewhere in the middle, because they get hacked all the time for ransomware. What does the water sector look like in general? Is it way behind the times?

Dave Hinchman  I would say that they’re learning about what cyber security means. It doesn’t help that they’re so sprawling across the U.S. You know, those 153,000 local waters, public water systems. But I think that this move to interconnectivity they have is also relatively recent. As technology has become more advanced and cheaper to implement, people are starting to use it. And so along with that, there’s a learning curve about what you need to do to make sure that you have the proper cyber security controls in place.

Tom Temin  And you looked mainly at EPA and what it does to encourage that, and what is its role here to begin with.

Dave Hinchman  Yeah, so we looked at three things. We looked at we were asked to sort of describe, what are the risks to the water sector, you know, what are kinds of incidences that we were able to find in the public record? We were asked to look at what actions both federal and non federal entities have taken to ensure better cyber security in the sector. And then finally, we were asked to evaluate what EPA has done to address known risks within the water sector. And so looking across that landscape, there’s a lot has been done, and I think that’s a good thing and worth mentioning, but there’s also a lot of room for improvement, we found.

Tom Temin  We’re speaking with Dave Hinchman. He is the director of IT and cyber security at the Government Accountability Office. And what has EPA done so far? Let’s maybe get a little progress report.  Sure. So, there’s a lot of best practices out there. You know, with such a sprawling sector, EPA is one relatively small federal agency, so they have a tall order. Takes a lot of resources. They do a lot of education for smaller organizations. But I think it’s worth noting that these sectors are only required to voluntarily comply with a lot of things that EPA does. The water sector is regulated, but those regulations also define the boundaries of what EPA can require a small public entity to do versus what they can’t require. And that’s, I think, part of the struggle with what they have and haven’t done, as we found. Right. And so, yeah, it’s like being a big brother to them more than something like a regulator. I mean, they can regulate what comes out of the faucet in terms of bacteria, but they can’t really EPA, I’m referring to, can’t tell the utilities what to do with cyber.

Dave Hinchman  Right, and they ran smack into that last year. They tried to use their existing regulatory authorities to require cyber security assessments. A number of states instantly filed a lawsuit. EPA ended up suspending the rule, or excuse me, that the requirements and ultimately withdrew the requirements completely, and now they’re re examining what their authorities do and don’t allow, and they committed us that that would be released in the new year.

Tom Temin  And by the way, what is the scene with respect to hacks against the water sector? Is this largely a potential problem, or have there been cyber attacks and cyber attempts there?

Dave Hinchman  It’s, unfortunately, it is an existing problem and getting worse. During the course of our work, it felt like, you know, our news searches were popping up new reports every day. Some of those make the national news. Some of them make our sort of more you know, are more niche government newsletters, but the actions are out there, and it’s not just bad actors, it’s also insider threats, disgruntled employees who want to mess with systems, kids who are out hacking into things, as well as more foreign nation state sponsored actors who are looking to wreak havoc in our nation’s infrastructure.

Tom Temin  And what are they seeking to do, take money from the utilities, or do they want to divert the sewer water into the fresh water or something?

Dave Hinchman  At the risk of over generalizing, insider threats want to mess up the chemicals balance so that the whole water system is wrecked. One of the concerns that we’ve heard about in the press is that some of our foreign adversaries are parking themselves in our infrastructure connectivity and waiting for the right moment to make our lives very difficult, either by shutting down a water system, or creating some of the havoc I mentioned from an insider threat. And those, I think, are the ones that really get people worried, because we don’t know what it is they want to do. We just have a good sense that they’re in our systems.

Tom Temin  Right. And are they in the systems of major places like New York City? I can’t imagine the complexity of the water system for New York City or Los Angeles or a place like that.

Dave Hinchman  No, exactly. And I think one of the things that EPA has done, and we talked a little bit about the need to improvement, is they have something called a vulnerability self assessment tool that they make available to local water systems. The tool itself is good. We found they need to do a peer review to make sure that they are asking the right questions and getting the right information to a local entity that uses this tool, they’ve committed to having that peer review done. It’s supposed to start in November, and if they need to adjust the tool after that, that’ll happen later next year. That I think is a great example of one of the useful tools that EPA does make available to these local water systems.

Tom Temin  And then you do have a pretty good list of recommendations. I think there’s four major recommendations for the EPA, and one of them they’re supposed to already do by statute.

Dave Hinchman  Yes, it hadn’t happened. They’ve committed to doing it, and that’s basically conducting a risk assessment of the water sector and then also putting together a strategy on how to address those risks. They are very committal in their formal response to our letter, which I applaud and appreciate, and we’ll follow up to make sure that happens, but just doing that risk assessment and developing a strategy about how to address those risks that they find, I think, will go a long way towards helping to better secure the entire sector.

Tom Temin  And earlier you mentioned that the utilities kind of said, go away when the EPA tried to impose cybersecurity responsibilities on them. You’re telling the agency to maybe go to Congress and get some legal authority it doesn’t have.

Dave Hinchman  Exactly, and they’ve also, they say they have conducted an assessment of their regulatory authorities. They’ve started conversations with Congress about new authorities, and when they release their risk assessment and strategy in the new year, they’ve also committed to including that analysis of their authorities about where they might need some extra horsepower to get things done.

Tom Temin  Right. And now we’re in the post-Chevron revision decision, which means Congress may have to actually specifically say this.

Dave Hinchman  Exactly, and so I think they’ll sort that out, but yeah, that certainly adds a complicating factor. But I think that, you know, being clear and explicit with what those authorities are can help reduce some of that uncertainty that the chevron decision adds to the regulatory process.

Tom Temin  Dave Hinchman is director of IT and cyber security at the Government Accountability Office. As always, thanks so much for joining me.

Dave Hinchman  Tom, great to be here. Thanks again.

Tom Temin  And we’ll post this interview along with a link to his report at federalnewsnetwork.com/federaldrive. Hear the Federal Drive on demand. Subscribe wherever you get your podcasts.

The post Is EPA policing enough for cyber attacks on water systems? first appeared on Federal News Network.