Clear, Actionable Ways to Enhance Cybersecurity in the Water Sector

In May of 2022, Lauren Zabierek, Executive Director of the Cyber Project at the Harvard Kennedy School’s Belfer Center, and Sean Plankey, former Principal Deputy Assistant Secretary in the Office of Cybersecurity, Energy Security, and Emergency Response at Department of Energy, delivered a talk entitled, We Must Regulate Water and Wastewater Cybersecurity--Here's How, at Hack the Capitol 5.0. The talk was a small discussion during the day-long, multi-track event designed to educate congressional staffers, scholars, and the press on some of the most critical cybersecurity challenges facing our nation today.

Based on the article by Lauren and Belfer Cyber Project nonresident fellow, Selena Larson, this talk expanded on the concept from specifically the water and wastewater sector to encompass critical infrastructure more broadly. These recommendations (including specific water recommendations in the paper) are offered in the following categories:

Cybersecurity Legislation	Continuity of Economy	Water and Wastewater, Specifically
Pass mandatory cybersecurity regulations legislation for Critical Infrastructure: Congress provides Sector Risk Management Agencies (SRMAs) rulemaking authority under an amendment to the Administrative Procedure Act (APA). SRMAs engage industry to develop sector specific rulemaking to minimize cybersecurity risk. Require SRMAs to fund and staff advisory boards with participation from private industry and first responders (e.g. Electricity Sector Coordinating Council, Oil and Gas Sector Coordinating Council, National Maritime Security Advisory Committee). Appropriate funding for municipal grants to provide a cybersecurity “standard of care” with breach notification requirements Set requirements for cyber disruption and disaster mitigation and response. Authorize CISA as the standard maker for cybersecurity definitions, and allow the agency to update the definitions as the threat landscape & business models evolve.	Reframe the focus on “left and right of boom” planning. We live in an age of constant disaster Cultivate a preventative vice reactive culture Move Incident Response Mainstream: Exercise more than the IT or Security Teams Include cybersecurity in Business Continuity Planning for Disaster Response Build Resiliency through Continuity of the Economy Planning Continuity of the Economy Planning is required by law: The 2021 NDAA stipulated the President must create a plan within two years. The President must define who is in charge between the National Response Framework, PPD-41, and the National Cyber Incident Response Plan. A plan must involve the states and their homeland security and emergency management offices in coordination with the federal Department of Homeland Security. It must also involve funding, regular exercise at a regional and national level, and collection of lessons learned.	Appropriate state and local grant program for a cybersecurity “standard of care” with municipal utilities to include breach notification and mutual aid amongst providers. Model after the CIP framework, incorporate cybersecurity rules into the Environmental Protection Agency (EPA) Sanitary Surveys. Add Cybersecurity of information and operational technology to the eight focus areas covered by the EPA Sanitary Survey. Create North American standards for OT sensors and actuators. Require engineering firms to incorporate cybersecurity into their device engineering design and require acceptance and testing. Require detection and response plans aligned with NIST Cybersecurity Framework and coordinated with the relevant SRMA for all Critical Infrastructure. Codify Water ISAC list of cybersecurity fundamentals into regulatory requirements for all water and wastewater facilities Address specific regulations based on common cyberattack behaviors such as: Restricting remote access and externally accessible services Requiring access controls on IT & OT assets Immediately revoking access to outgoing employees Maintain a resilient control system in which pressure and treatment functions can be manually run Incorporate protective technology

Cybersecurity Legislation

Continuity of Economy

Water and Wastewater, Specifically

Pass mandatory cybersecurity regulations legislation for Critical Infrastructure:

Congress provides Sector Risk Management Agencies (SRMAs) rulemaking authority under an amendment to the Administrative Procedure Act (APA).
SRMAs engage industry to develop sector specific rulemaking to minimize cybersecurity risk.
Require SRMAs to fund and staff advisory boards with participation from private industry and first responders (e.g. Electricity Sector Coordinating Council, Oil and Gas Sector Coordinating Council, National Maritime Security Advisory Committee).
Appropriate funding for municipal grants to provide a cybersecurity “standard of care” with breach notification requirements

Set requirements for cyber disruption and disaster mitigation and response.

Authorize CISA as the standard maker for cybersecurity definitions, and allow the agency to update the definitions as the threat landscape & business models evolve.

Reframe the focus on “left and right of boom” planning. We live in an age of constant disaster

Cultivate a preventative vice reactive culture

Move Incident Response Mainstream:

Exercise more than the IT or Security Teams
Include cybersecurity in Business Continuity Planning for Disaster Response

Build Resiliency through Continuity of the Economy Planning

Continuity of the Economy Planning is required by law: The 2021 NDAA stipulated the President must create a plan within two years.
The President must define who is in charge between the National Response Framework, PPD-41, and the National Cyber Incident Response Plan.

A plan must involve the states and their homeland security and emergency management offices in coordination with the federal Department of Homeland Security.

It must also involve funding, regular exercise at a regional and national level, and collection of lessons learned.

Appropriate state and local grant program for a cybersecurity “standard of care” with municipal utilities to include breach notification and mutual aid amongst providers.

Model after the CIP framework, incorporate cybersecurity rules into the Environmental Protection Agency (EPA) Sanitary Surveys.

Add Cybersecurity of information and operational technology to the eight focus areas covered by the EPA Sanitary Survey.

Create North American standards for OT sensors and actuators. Require engineering firms to incorporate cybersecurity into their device engineering design and require acceptance and testing.

Require detection and response plans aligned with NIST Cybersecurity Framework and coordinated with the relevant SRMA for all Critical Infrastructure.

Codify Water ISAC list of cybersecurity fundamentals into regulatory requirements for all water and wastewater facilities

Address specific regulations based on common cyberattack behaviors such as:

Restricting remote access and externally accessible services
Requiring access controls on IT & OT assets
Immediately revoking access to outgoing employees
Maintain a resilient control system in which pressure and treatment functions can be manually run
Incorporate protective technology