There is an interesting
opinion piece
over on calling for real cybersecurity
regulation in critical infrastructure and for federal funding for implementing
the necessary cybersecurity controls. As I noted on TWITTER® earlier today,
there is a basic misunderstanding of the current regulatory authority provided
to the Cybersecurity and Infrastructure Security Agency (CISA) evidenced in
this piece, but the authors do raise some interesting ideas about the need for
cybersecurity regulations.

CISA Authority

When CISA was stood up a bit over a year ago, it was not
given authority to regulate cybersecurity outside of the federal government,
with one minor, indirect exception: the Chemical Facility Anti-Terrorism Standards
(CFATS) program and that was only because the existing program was rolled into CISA.
CISA was only given ‘regulatory authority’ over cybersecurity programs in Federal
government agencies (outside of DOD and the intelligence agencies).

It would appear that the focus of the CyberBrief piece is
the regulation of cybersecurity at water treatment facilties (thus their suggested
‘universal security fee per gallon of water’). The Environmental Protection Agency
was given oversight of water treatment and wastewater treatment facility
security by Congress when DHS was stood up after 9/11. Even then their regulatory
authority was limited to being able to require water treatment facilities to
conduct a risk assessment.

Actually, I have not been able to find any where that
Congress has given any agency of the Federal government specific authority to
regulate cybersecurity in an operational environment. Existing cybersecurity
(FERC/NERC, CFATS, and MTSA) regulations rely on general security mandates to ‘obviously
include’ cybersecurity in facility security or resiliency mandates.


The authors make an important point that funding is going to
have to come from the Federal government (at least in part) if there are going
to be any mandates for cybersecurity in operational environments. State and local
governments are quick (rightfully so) to scream about unfunded mandates when
Congress sets requirements that those smaller government entities (with MUCH
SMALLER pocketbooks and statutory budget constraints) will be required to implement.
And remember, most water treatment facilities in this country are run by
government utilities.

I have not seen the recovery bill that the authors reference
in their article so I do not know where the $14 to $40 billion for “funding to
update and modernize the aging, and insecure operational technology that
sustains our way of life”. If that is just targeted at small water treatment
works cybersecurity (and I would be very surprised to see that kind money
targeted so specifically), let’s look at what that would mean per treatment

The EPA says
that there are “145,000 active public water systems in the United States” and
97% of them (140,650) serve 10,000 or fewer people. If the $40 billion were
targeted at just those facilities, it would make over $284K to each facility.
That would provide a pretty robust cybersecurity program. Even the $99.5K from
dividing up the $14 billion low-end figure would be significant. I suspect,
however, that those funds would be targeted at ‘water infrastructure’ not just
the cybersecurity for the same. Just replacing aging and leaking water delivery
pipes would eat up those funds quite quickly.

But, if we start dividing that money up to support other critical
infrastructure, the amount going to each facility starts to drop off
dramatically, not to mention the program costs that would probably come out of
those totals.

What is needed?

That is a very open-ended question. We need to have a national
discussion about what cybersecurity is needed at these water treatment
facilities. Do we want the same level of nearly absolute (there is no such
thing as absolute security) cybersecurity that we demand from nuclear power
plants? That will be very expensive in both capital and security expertise, but
it would give us very strong piece of mind that almost no one would be able to
attack a water utility’s customers via their drinking water. Or do we just want
to ensure that unsafe drinking water does not leave the facility and enter the
drinking water distribution system? That would be much less expensive and would
require significantly less cybersecurity expertise. I would expect that
something approaching the later would be acceptable to most people.

For regulatory purposes, we would have to define what that
type of system would look like and how we would expect to measure adequate
performance. I would expect that the regulations would define where in the
treatment process we would expect a facility to make the necessary realtime measurements
of water quality and set forth the minimum standards for reaction to
unacceptable quality parameters, and then define the minimum system safety
(including cybersecurity for automated systems) standards that would apply to
that portion of the treatment process Finally, we would need to put an
inspection force into place to ensure that facilities lived up to the expectations
outlined in the regulations.

The EPA certainly has the drinking water expertise to
explicate how treatment facilities should be measuring drinking water quality
and responding to out-of-standards test results. It would seem that they would
therefore be designated as the agency responsible for ensuring that those
systems were operating properly without outside malevolent interference. But
Congress must give them the responsibility and the authority to require
drinking water treatment facilities to meet those standards.

Go to Source of this post
Author Of this post: PJCoyle

By admin