17837_Authority_Oct

34 The Authority | October 2024 T he F ederal G overnment ' s R esponse to C yberattacks on W ater and W astewater S ystems By Steven A. Hann, Esq., Hamburg, Rubin, Mullin, Maxwell & Lupin, PC I n August, 2024, the United States Government Accountability Office (“GAO”) released a report to Congressional Requesters entitled, “Critical Infrastructure Protection – EPA Urgently Needs a Strategy to Address Cybersecurity Risks to Water and Wastewater Systems.” (See the full report here www.gao.gov/ products/gao-24-106744.) The Report noted that recent cyber incidents have highlighted the vulnerability of the 170,000 water and wastewater systems in the country, an observation not lost on many of us with ties to the public sector. Specifically, the task before the GAO was to review cybersecurity threats facing the water sector in the United States, and the federal government’s efforts to address such threats. (The Report groups both drinking water and wastewater facilities under the general “water” heading.) The GAO’s Report is predictably focused on the United States Environmental Protection Agency (“EPA”). By way of background, EPA has not been silent on the issue of cybersecurity facing our water and wastewater systems. Indeed, in March, 2023, EPA reviewed its existing legal requirements regarding cybersecurity risks and determined that such requirements included cybersecurity assessments at drinking water systems. However, faced with legal challenges, EPA withdrew the requirement later that year. Nonetheless, on May, 20, 2024, the agency issued an “enforcement alert,” indicating its plans to increase enforcement activities to ensure that drinking water systems address threats from cyberattacks. Who are the actors that perpetrate cyberattacks and the need for cybersecurity measures? The Report notes a number of possible persons/entities, including foreign nations, hackers and insiders (e.g. those with authorized access to a system). Yet, irrespective of the persons/entities behind the cyberattacks, the results can be devastating, resulting in a wide array of problems including, but certainly not limited to, the loss of service or equipment, and the possibility that critical information/data may be stolen, lost or compromised. Moreover, a cyberattack need not be directed at a water or wastewater facility to have an adverse impact on such facilities. By way of example, the Report recounts a 2019 incident whereby a municipality experienced a ransomware attack against its municipal IT systems, which resulted in the inability of the city’s department of public works to send bills to its customers. (In very general terms, ransomware is a type of software or malware that blocks a victim’s access to, among other things, its own system or files, or renders such system or files unusable until a “ransom” is paid to the perpetrator of the ransomware attack.) Why are water and wastewater systems vulnerable to cyber threats? The Report notes several factors, including increased connections between operational technologies and internet-enabled devices, as well as operational and IT systems that are not properly separated, for example, by firewalls. A practical result of this lack of separation is that a cyberattack on a “business” IT system can spread to a system’s operational infrastructure. Moreover, increased reliance by water and wastewater facilities on electronic technologies or equipment, such as supervisory control and data acquisition (SCADA) systems or programmable logic controllers, likely increase the risk of cybersecurity incidents. As of this 2024 writing, how is EPA in addressing cyberattacks and cybersecurity? EPA has taken several initiatives