ARCHIVE SITE - Last updated Jan. 19, 2017. Please visit www.NACWA.org for the latest NACWA information.
ARCHIVE SITE - Last updated Jan. 19, 2017. Please visit www.NACWA.org for the latest NACWA information.
Following development of this Framework – and potentially impacting clean water agencies nationwide – the EO directs federal agencies to propose new regulations if existing cybersecurity regulations are insufficient. Since there are currently no cybersecurity regulations for the water sector, wastewater utilities may be subject to new cybersecurity regulations in the next few years. This Advocacy Alert provides a brief summary of the EO and PPD-21 and requests input from NACWA members on the issue of cybersecurity. Please email Cynthia Finley at This e-mail address is being protected from spambots. You need JavaScript enabled to view it with input or questions about cybersecurity. Background Information on Security of the Water SectorThe water sector, including both wastewater and drinking water, are considered critical infrastructure, with the U.S. Environmental Protection Agency (EPA) serving as the federal Sector-Specific Agency (SSA) that oversees the security and resiliency of the sector in cooperation with the Water Sector Coordinating Council (WSCC). The WSCC consists of two representatives from each of the water sector associations. NACWA’s representatives to the WSCC are Patty Cleveland, Assistant Regional Manager with the Trinity River Authority, Texas, and Jim Davidson, Manager of Safety & Security with the Northeast Regional Sewer District, Ohio. Patty was recently elected to a two-year term as Vice Chair of the WSCC. EPA and the WSCC also coordinate with DHS and other federal agencies. Since security at water and wastewater utilities became a greater concern in the wake of the September 11th terrorist attacks 2001, efforts to improve security, resiliency, and emergency preparedness have focused on voluntary measures, which have been successful in improving the overall security of the sector against natural disasters and terrorist attacks. The sector has, in recent years, become more aware of the need to protect itself against cyber threats. In the 2012 WSCC Strategic Roadmap, the top priority activity for the water sector was to “enhance the cybersecurity posture of the Water Sector.” In a conversation with the White House about the EO in late 2012, the WSCC stressed that voluntary measures to improve cybersecurity would be best, especially given the extremely diverse nature of the utilities in the water sector. Summary of Executive Order on Cybersecurity and PPD-21While most of the EO focuses on voluntary programs for critical infrastructure, it also contains many requirements for SSAs, including EPA, that may lead to new regulations. The components of the EO that will have the most impact on wastewater utilities are described below:
The EO also contains some requirements that will be useful to the water sector as it works to improve its cybersecurity, including expansion of the DHS Enhanced Cybersecurity Services program to all critical infrastructure sectors, which will provide classified cyber threat and technical information, and expedited security clearances to appropriate critical infrastructure personnel. In addition, within two years of the publication of the final Framework, “ineffective, conflicting, or excessively burdensome cybersecurity requirements” must be reported to the White House Office of Management and Budget. PPD-21 was released with the EO in an attempt to take an integrated approach to strengthening the security and resiliency of critical infrastructure against all hazards, including cyber threats. The main requirements in the PPD are to clarify federal roles and responsibilities, integrate physical security and cybersecurity analysis and situational awareness, improve information sharing, and enhance the federal government’s ability to be a better partner to critical infrastructure owners and operators. The PPD recognizes that “critical infrastructure owners and operators are uniquely positioned to manage risks to their individual operations and assets, and to determine effective strategies to make them more secure and resilient.” Potential Impacts on Water SectorWhile the EO cannot require that cybersecurity regulations be imposed on the water sector, the requirements that EPA establish a voluntary program for the water sector, report on the extent of utility participation in the program, and evaluate the sufficiency of current regulations to mitigate cyber risks may lead directly to new regulations. Since there are no current regulations for the water sector on cybersecurity, EPA would be required by the EO to “propose prioritized, risk-based, efficient, and coordinated actions… to mitigate cyber risk.” There is no definition in the EO of what these actions could be – whether additional voluntary actions by utilities would be sufficient or whether EPA would be pressed to introduce regulatory requirements. Although there is currently no pending legislation related to cybersecurity, the Cybersecurity Act of 2012 (S. 3414) was introduced last year with both Democratic and Republican sponsors. In a meeting with the House Energy and Commerce Committee last month, NACWA was informed that the Committee was not planning to work on any new legislation. However, in the wake of the EO and PPD-21, many members of Congress have stated that legislation is still needed to deal with cybersecurity issues. Next StepsNACWA’s advocacy will continue to focus on the sufficiency of voluntary efforts by utilities to improve their security against cyber threats. Through its involvement with the WSCC and its own advocacy efforts, NACWA plans to engage EPA and other agencies on the development of the Cybersecurity Framework and the voluntary program to adopt the Framework. Additional information from NACWA members about cybersecurity would be useful in guiding these advocacy efforts, in particular:
Please contact Cynthia Finley at This e-mail address is being protected from spambots. You need JavaScript enabled to view it with any input or questions about the EO, PPD-21, and other cybersecurity issues. |
Membership gives you access to the tools to keep you up to date on legislative, regulatory, legal and management initiatives.
Winter Conference
Next Generation Compliance …Where Affordability & Innovation Intersect
February 4 – 7, 2017
Tampa Marriott Waterside Hotel
Tampa, FL