» Advocacy Alerts Archive

In conjunction with President Obama’s State of the Union address on the evening of February 12, the Administration released an Executive Order (EO) for Improving Critical Infrastructure Cybersecurity and a Presidential Policy Directive on Critical Infrastructure Security and Resilience (PPD-21). The EO directs the Department of Homeland Security (DHS) to develop a “Cybersecurity Framework” to reduce cyber-related risks to critical infrastructure, including wastewater and drinking water infrastructure.

Following development of this Framework – and potentially impacting clean water agencies nationwide – the EO directs federal agencies to propose new regulations if existing cybersecurity regulations are insufficient. Since there are currently no cybersecurity regulations for the water sector, wastewater utilities may be subject to new cybersecurity regulations in the next few years.

This Advocacy Alert provides a brief summary of the EO and PPD-21 and requests input from NACWA members on the issue of cybersecurity. Please email Cynthia Finley at This e-mail address is being protected from spambots. You need JavaScript enabled to view it with input or questions about cybersecurity.

Background Information on Security of the Water Sector

The water sector, including both wastewater and drinking water, are considered critical infrastructure, with the U.S. Environmental Protection Agency (EPA) serving as the federal Sector-Specific Agency (SSA) that oversees the security and resiliency of the sector in cooperation with the Water Sector Coordinating Council (WSCC). The WSCC consists of two representatives from each of the water sector associations. NACWA’s representatives to the WSCC are Patty Cleveland, Assistant Regional Manager with the Trinity River Authority, Texas, and Jim Davidson, Manager of Safety & Security with the Northeast Regional Sewer District, Ohio. Patty was recently elected to a two-year term as Vice Chair of the WSCC. EPA and the WSCC also coordinate with DHS and other federal agencies.

Since security at water and wastewater utilities became a greater concern in the wake of the September 11th terrorist attacks 2001, efforts to improve security, resiliency, and emergency preparedness have focused on voluntary measures, which have been successful in improving the overall security of the sector against natural disasters and terrorist attacks. The sector has, in recent years, become more aware of the need to protect itself against cyber threats. In the 2012 WSCC Strategic Roadmap, the top priority activity for the water sector was to “enhance the cybersecurity posture of the Water Sector.” In a conversation with the White House about the EO in late 2012, the WSCC stressed that voluntary measures to improve cybersecurity would be best, especially given the extremely diverse nature of the utilities in the water sector.

Summary of Executive Order on Cybersecurity and PPD-21

While most of the EO focuses on voluntary programs for critical infrastructure, it also contains many requirements for SSAs, including EPA, that may lead to new regulations. The components of the EO that will have the most impact on wastewater utilities are described below:

• A “Cybersecurity Framework” will be developed to reduce the cyber risks to critical infrastructure. A draft of the Framework is expected within 240 days of the EO, and a final version will be released within a year.
• SSAs must establish a voluntary program to support adoption of the Framework by owners and operators of critical infrastructure. SSAs will coordinate with the Sector Coordinating Councils to develop implementation guidance or supplemental materials. SSAs will report annually on the extent of participation in the Program.
• The Secretary of Homeland Security will coordinate a set of incentives to promote participation in the voluntary programs and will use a risk-based approach to identify critical infrastructure that could result in catastrophic regional or national effects, such as public health impacts, if a cyber incident occurred. SSAs will provide information to DHS to help identify this critical infrastructure. Owner/operators of critical infrastructure will be notified confidentially if they are identified in this process.
• SSAs – for the water sector, EPA – will “determine if current cybersecurity regulatory requirements are sufficient given current and projected risks.” Within 90 days of publication of the preliminary Framework, SSAs shall submit a report “that states whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, and any additional authority required.”
• SSAs must propose “actions” to address cybersecurity: “If current regulatory requirements are deemed to be insufficient, within 90 days of publication of the final Framework, agencies… shall propose prioritized, risk-based, efficient, and coordinated actions… to mitigate cyber risk [emphasis added]”

The EO also contains some requirements that will be useful to the water sector as it works to improve its cybersecurity, including expansion of the DHS Enhanced Cybersecurity Services program to all critical infrastructure sectors, which will provide classified cyber threat and technical information, and expedited security clearances to appropriate critical infrastructure personnel. In addition, within two years of the publication of the final Framework, “ineffective, conflicting, or excessively burdensome cybersecurity requirements” must be reported to the White House Office of Management and Budget.

PPD-21 was released with the EO in an attempt to take an integrated approach to strengthening the security and resiliency of critical infrastructure against all hazards, including cyber threats. The main requirements in the PPD are to clarify federal roles and responsibilities, integrate physical security and cybersecurity analysis and situational awareness, improve information sharing, and enhance the federal government’s ability to be a better partner to critical infrastructure owners and operators. The PPD recognizes that “critical infrastructure owners and operators are uniquely positioned to manage risks to their individual operations and assets, and to determine effective strategies to make them more secure and resilient.”

Potential Impacts on Water Sector

While the EO cannot require that cybersecurity regulations be imposed on the water sector, the requirements that EPA establish a voluntary program for the water sector, report on the extent of utility participation in the program, and evaluate the sufficiency of current regulations to mitigate cyber risks may lead directly to new regulations. Since there are no current regulations for the water sector on cybersecurity, EPA would be required by the EO to “propose prioritized, risk-based, efficient, and coordinated actions… to mitigate cyber risk.” There is no definition in the EO of what these actions could be – whether additional voluntary actions by utilities would be sufficient or whether EPA would be pressed to introduce regulatory requirements.

Although there is currently no pending legislation related to cybersecurity, the Cybersecurity Act of 2012 (S. 3414) was introduced last year with both Democratic and Republican sponsors. In a meeting with the House Energy and Commerce Committee last month, NACWA was informed that the Committee was not planning to work on any new legislation. However, in the wake of the EO and PPD-21, many members of Congress have stated that legislation is still needed to deal with cybersecurity issues.

Next Steps

NACWA’s advocacy will continue to focus on the sufficiency of voluntary efforts by utilities to improve their security against cyber threats. Through its involvement with the WSCC and its own advocacy efforts, NACWA plans to engage EPA and other agencies on the development of the Cybersecurity Framework and the voluntary program to adopt the Framework. Additional information from NACWA members about cybersecurity would be useful in guiding these advocacy efforts, in particular:

• The cyber threats faced by utilities;
• The need for utilities to be provided with additional information about threats and measures to take against them; and
• Additional resources that would be useful for utilities to have to improve cybersecurity.

Please contact Cynthia Finley at This e-mail address is being protected from spambots. You need JavaScript enabled to view it with any input or questions about the EO, PPD-21, and other cybersecurity issues.