By Patrick Crow
Cyber-attacks on water systems and other critical infrastructure are gaining increased attention in Washington.
The American Water Works Association (AWWA) recently released a guidance to give water utility managers a concise set of best practices and standards for reducing their cyber vulnerabilities. It outlines a transparent and repeatable process for evaluating a utility's process control system.
"Our water systems are essential to the health and safety of our communities and citizens," said AWWA Executive Director David LaFrance. "AWWA's new cybersecurity guidance and tool can help the nation's water utilities mitigate potential risks introduced by today's advanced technologies."
The association said cybersecurity is the top threat facing business and critical infrastructure in the U.S., according to reports and testimony from the National Intelligence Agency, Federal Bureau of Investigation and Department of Homeland Security (DHS).
On Feb. 12, 2013, President Barack Obama issued an executive order directing the National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary framework for reducing cyber risks. AWWA's new guidance, "Process Control System Security Guidance for the Water Sector," is a product of the effort. Supporting the guidance is the AWWA Cybersecurity Use-Case Tool for evaluating security of computer systems and water utility networks. The tool and guidance are both free and prepared with input from AWWA's Water Utility Council.
Cybersecurity legislation is pending in Congress and could become a reality this session. The Environmental Protection Agency (EPA) has also become more active on the issue. Nancy Stoner, EPA's acting assistant administrator for water, has encouraged drinking water and wastewater utilities to adopt the NIST cybersecurity framework created in response to the executive order from the president and released in February.
The framework was created through collaboration between government and the private sector and uses a common language to address and manage cybersecurity risks in cost-effective ways based on business needs without instituting additional regulatory requirements. In a different but parallel initiative, EPA began beta-testing version 6.0 of its Vulnerability Self-Assessment Tool (VSAT). It is a downloadable application providing a systematic means for water and wastewater systems to evaluate their risks and vulnerabilities related to terrorism and natural disasters.
For the last several months, EPA has been upgrading the tool to make it easier to use and compatible with the AWWA J100-10 Risk and Resilience Management of Water and Wastewater Systems standard. Changes have also made the software more intuitive and easier to navigate. The agency said the principal enhancement was the addition of a "New Analysis Wizard" that help users select assets, countermeasures and threats using simplified templates. Small system users may now import data from earlier assessments.
Other improvements included the use of quantitative risk metrics, such as value of statistical life and injury for monetizing risk; inclusion of resilience metrics; prioritization of assets; a proxy method for threat likelihood; and the addition of ice-storm, wildfire and dependency threats to the standard threat listing.
In addition to EPA's risk management program, the Occupational Safety and Health Administration has promulgated a process safety management standard, and the DHS has a chemical facility anti-terrorism standards (CFATS) program. The water/wastewater industry is exempted from CFATS.
Industry lobbyists have fought to retain that exclusion, largely for fear that government might mandate the use of "inherently safer technology (IST)." That could require more expensive treatment processes, especially if DHS were to ban the use of chlorine. The House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies recently held a hearing regarding the CFATS program.
At the event, Caitlin Durkovich, the DHS assistant secretary for infrastructure protection, responded to questions about the water/wastewater exemption. Durkovich said that although including the water industry in the CFATS program was not being proposed at this time, it still was "a laudable goal." Tommy Holmes, AWWA legislative director, added, "There doesn't seem to be strong sentiment on Capitol Hill for changing that."
John Shimkus (R-Ill.), chairman of the House Environment and the Economy Subcommittee, has announced that his panel will consider a CFATS reauthorization/extension bill this year. He said the legislation would not include IST mandates. The subcommittee has opposed including water and wastewater facilities under the CFATS program.
About the Author: Patrick Crow covered the U.S. Congress and federal agencies for 21 years as a reporter for industry magazines. He has reported on water issues for the past 15 years. Crow is now a Houston, Texas-based freelance writer.