17837_Authority_Oct

municipalauthorities.org | 35 S olicitor ’ s C o r n e r and, based upon the Report, will undoubtedly take more in the near future. By way of example, by letter dated March 18, 2024, EPA Administrator Michael Regan and National Security Advisor Jake Sullivan sent a letter to the nation’s Governors noting the potential for cyberattacks to disrupt the “critical lifeline of clean and safe drinking water.” The letter requested the assistance of the Governors to address the challenging risk that cyberattacks pose to drinking water systems. A subsequent news release on EPA’s website indicated that, as a follow-up to the aforementioned letter, a meeting was held on March 21, 2024 between federal representatives and state/ local officials to discuss cybersecurity issues related to the water sector. As noted in the press release, there were several significant points of discussion during the meeting, including EPA’s intention to establish a Water Sector Cybersecurity Task Force. As noted earlier, EPA also issued an enforcement alert on May 20, 2024, in which it delineated cybersecurity threats and vulnerabilities to community water systems, and the actions needed to comply with Safe Drinking Water Act (“SDWA”) Section 1433. Among other things, Section 1433 of the SDWA requires that community water systems serving more than 3,300 people conduct Risk and Resilience Assessments (RRAs”) and develop Emergency Response Plans (“ERPs”) which, according to EPA, will help water systems evaluate and reduce risks from physical and cyber threats (Section 1433 also requires the assessment of risk from natural hazards). This enforcement alert also addressed the increasing frequency and severity of cyberattacks against community water systems and, of concern, noted that over 70% of systems it has inspected since September, 2023 were in violation of certain SDWA section 1433 requirements, including missing specific sections of the aforementioned RRAs and ERPs. EPA also noted that EPA inspectors “identified alarming cybersecurity vulnerabilities at drinking water systems across the country.” In a news release announcing the enforcement alert, EPA indicated its commitment to providing cybersecurity technical assistance to the water sector, including direct access to subject matter experts who can assist in better understanding cybersecurity concepts. However, in the same news release, EPA indicated that it “will increase the number of planned inspections [of water systems] and, where appropriate, will take civil and criminal enforcement actions…” In any event, while EPA can identify cybersecurity concerns and subsequently propose actions to be taken to address such concerns, implementation issues of importance to the nation’s water systems no doubt include finding a dedicated source of funding and the technical expertise required to address such concerns and actions. Regarding the funding issue, SDWA Section 1433(g) directs EPA to establish a technical assistance and grant program to address community water system resiIiency and SDWA Section 1442(b) authorizes EPA to provide grants to assist in responding to and alleviating any emergency situation, which includes cyberattacks. Although other possible funding sources exist, this is still an issue worthy of much more discussion. As we enter 2025, cybersecurity-related issues need to be a “top of the agenda” item for all water an wastewater systems. In its Report, the GAO explicitly recognized this critical funding issue. According to the GAO, “EPA and others have noted that water and wastewater systems must prioritize limited resources towards ensuring their ability to function – that is, to supply water and manage wastewater.” Significantly, the GAO also noted that “government and sector officials have reported that the voluntary nature of cybersecurity competes with other regulated priorities, resulting in minimal or no cybersecurity investments.” Oftentimes, both the water and wastewater sectors are required to expend significant capital on compliance with various federal and state laws, whether it be replacement of infrastructure or system maintenance, leaving precious little resources available for addressing other issues, such as cybersecurity (see Report, page 22). As we move toward the latter part of 2024 and into 2025, where do we stand with the aforementioned cybersecurity issues regarding water and wastewater facilities, especially as such issues trigger EPA or other federal government involvement? Although a comprehensive answer to this question is beyond the scope of this article, it is worth noting that in the above-cited Report, the GAO made four specific recommendations regarding cybersecurity at water and wastewater facilities, which include EPA’s development and implementation of a national cybersecurity strategy, and an EPA evaluation of its legal authorities to carry out its cybersecurity responsibilities. EPA responded to each of the GAO recommendations and, as part of such response, the agency indicated that it would complete a water sector risk Continued on page 63.