USEPA’s recently released memorandum interprets existing regulations requiring state oversight of public water systems' cybersecurity practices. This new oversight policy will cost state governments and every public water system money needed to repair failing infrastructure in a time of escalating project costs. The news is even worse – no one knows how much more money will be required.
Public Water Utilities Are Already Responsible
Water utilities bear the ultimate responsibility for providing safe water to their customers and the environment. And all water utilities support reasonable and effective cybersecurity regulations that help to protect public health and safety. However, the new policy forces state agencies directly into the accountability framework. In addition to concerns about the costs, feasibility, and potential unintended consequences on capital projects, there is limited value-added being provided to the customer.
Good Intentions from USEPA
According to the USEPA memorandum, drinking water systems will be more protected from cyber-attacks by mandating more aggressive state-level accountability. USEPA provides no ideas on how states will implement the new policy. In fact, USEPA states that it wants to be highly flexible with how states do their work and are there to help. Nevertheless, the new policy ensures the public has safe drinking water.
How Initial Assessments Work
Public water systems are required by USEPA to do regular audits (“sanitary surveys”) on all aspects of their systems and to make necessary improvements. The new policy requires that during a sanitary survey, the following must now be performed:
If the public water system uses an Industrial Control System (ICS) or other operational technology as part of the equipment or operation of any required component of the sanitary survey, then the state must evaluate the adequacy of the cybersecurity of that operational technology for producing and distributing safe drinking water.
If the state determines that a cybersecurity deficiency identified during a sanitary survey is significant, then the state must use its authority to require the PWS to address the significant deficiency.
EPA has defined "significant deficiencies" as including, but not limited to, "defects in design, operation, or maintenance, or a failure or malfunction of the sources, treatment, storage, or distribution system that the state determines to be causing, or have the potential for causing, the introduction of contamination into the water delivered to consumers." For cybersecurity, significant deficiencies should include the absence of a practice or control, or the presence of a vulnerability, that has a high risk of being exploited, either directly or indirectly, to compromise an operational technology used in the treatment or distribution of drinking water.
Do States Have the Required Resources?
The short answer is no. Of course, USEPA is there to help. In reality, the new requirement means states will redivert capital project grants and loans into the new cybersecurity initiative to develop new state capabilities or hire consultants. Some states will tell utilities to pay for it, which has the same effect of less funding is available for capital projects.
Unintended Consequences for Utilities
Traditional costs for cybersecurity measures in water utilities include assessment costs, capital improvement costs, staff training, ongoing system upgrades, and compliance (reporting). The new policy now injects another player and potential uncertainties into every new capital project. Look for more change orders and more cost escalation as states, or their contractors, find "insignificant deficiencies" in projects already designed by water utility staff and their design consultants.
The costs of implementing cybersecurity measures can be significant, particularly for smaller water utilities with limited resources. The exact cost will depend on the duplicate role that the states will play as dictated by the USEPA cybersecurity memorandum. The magnitude of the costs is unknown and one reason that policy by fiat is bad. However, the new policy will certainly result in less money for new water projects.
JD Solomon Inc provides solutions at the nexus of the facilities, infrastructure, and the environment. Contact us for more information on our program development, project management, and capital program prioritization solutions. Subscribe for monthly updates.