The Iranian threat to U.S. drinking water systems is a microcosm of what’s wrong with cybersecurity in the U.S. today—and what’s needed to fix it.
In March 2023, the Environmental Protection Agency issued a memo warning that cyber-attacks against public water systems were increasing. These attacks, the EPA said, have the potential to disable or contaminate the delivery of drinking water to Americans. While some public water systems had taken important steps to improve their cybersecurity, many systems had “failed to adopt basic cybersecurity best practices and consequently are at high risk of being victimized by a cyber-attack,” including by state-sponsored actors, according to the EPA.
Under the federal Safe Drinking Water Act, states are required to conduct surveys of local water systems. Specifically, states must conduct, at least every three to five years, an onsite review of the “facilities, equipment, [and] operation … of a public water system to evaluate the adequacy of the system, its sources and operations and the distribution of safe drinking water.” If a state identifies a “significant deficiency” during a survey, the state must require the water system to address it.
In its March memo, the EPA noted that many public water systems had become reliant on electronic systems to operate efficiently, particularly on operational technology such as industrial control systems. The EPA therefore said it was interpreting the existing requirement on states to survey the “equipment” and “operation” of public water systems to include a review of the cybersecurity of any operational technology being used that could impact the supply or safety of the water provided to customers. Under the existing rule, if the state identified a significant cybersecurity deficiency, then the state would require the water system to address it. The memo laid out various approaches by which states could comply, including self-assessment by a water system itself, third-party assessment, direct state evaluation, and other alternatives. In a companion document, the EPA laid out a cybersecurity checklist for states to use.
Almost immediately, several Republican state attorneys general, joined by the American Water Works Association and National Rural Water Association, petitioned for review. They argued that the memo was a legislative rule issued in violation of the Administrative Procedure Act and that it exceeded the EPA’s statutory authority. The operational technology now essential to the delivery of safe drinking water, the plaintiffs argued, did not fit within the terms of the existing rule covering “equipment” and “operations” and “the distribution of safe drinking water.” The collection of cybersecurity information would, the trade associations argued, expose the water systems to higher risk of cyberattack.
In July, 2023, without opinion, the Eight Circuit granted the plaintiffs’ motion for stay of the memorandum pending disposition of the petition for review. In October, the EPA rescinded the March memo, citing the litigation.
Now the FBI, the Cybersecurity and Infrastructure Security Agency, NSA, the Israeli National Cyber Directorate, and the EPA are warning in a joint advisory that since at least Nov. 22, 2023, cyber actors from Iran’s Islamic Revolutionary Guard Corps (IRGC) have been actively targeting and compromising operational technology used in American water and wastewater systems. The compromised devices (specifically, Israeli-made Unitronics programmable logic controllers) were publicly exposed to the internet with default passwords. The agencies recommend—but they can only recommend, since the EPA memo has been revoked—three actions that water systems could take “today to mitigate malicious activity.”
Those actions are to implement multifactor authentication, use strong, unique passwords, and check installed equipment for default passwords. Sure enough, these are identical to three of the first four items that the EPA had recommended in the cybersecurity checklist issued alongside its March 2023 memo: “Require multi-factor authentication.” “Require a minimum length for passwords.” “Change default passwords.”
So the IRGC is exploiting the very weaknesses that the states and the water system groups argued a few months ago need not be considered when assessing the equipment and operations of water systems.
So far, Biden administration cybersecurity rules on pipelines, railroads, and the aviation sector, issued under statutes that talk about safety and reliability but do not specifically mention cybersecurity, have stood. The courts’ hostility to federal regulation, epitomized by the Supreme Court’s 2021 ruling that an agency cannot address big problems unless Congress expressly grants it the authority to do so, has probably slowed down the Biden administration’s efforts to adopt cybersecurity rules for other sectors. It certainly must have influenced the government’s decision to throw in the towel on the EPA memo. To its credit, the administration continues to look for ways to strengthen the cybersecurity of critical infrastructure. Just on Dec. 6, the Department of Health and Human Services issued a cybersecurity plan indicating that it will use existing authority to establish cybersecurity requirements for hospitals receiving Medicare and Medicaid payments.
However, to swiftly and unequivocally move forward on cybersecurity, congressional action is needed. Comprehensive cybersecurity legislation is not conceivable when anti-regulatory sentiment still holds strong sway on Capitol Hill (not to mention other sources of dysfunction). But Congress did act just last December to give the Food and Drug Administration specific authority to issue cybersecurity standards for connected medical devices.
Ironically, the American Water Works Association, which argued against the EPA memo, has called for federal legislation to establish a regulatory regime for drinking and wastewater systems. Their proposal is for an industry-led private organization that would develop cybersecurity requirements, subject to EPA approval, and enforce them, subject to EPA oversight. The concept is patterned after a system long in place under the 2005 Energy Policy Act for the bulk electric power industry. The Cyberspace Solarium Commission staff translated the concept to legislative language, but so far no such legislation has been introduced. Do the trade associations and their allies, having demonstrated their ability to block EPA action, have the will and the juice to get anything through Congress?
An agency-by-agency, sector-by-sector approach may find other avenues for incremental congressional action that would make impossible the kind of evasive tactics deployed against the EPA’s efforts to strengthen the cybersecurity of water systems. Meanwhile, the government is left pleading with our drinking water providers: please change those default passwords.
– Jacob Horne, Jim Dempsey, Published courtesy of Lawfare.