There is an interesting opinion piece over on TheCipherBrief.com calling for real cybersecurity regulation in critical infrastructure and for federal funding for implementing the necessary cybersecurity controls. As I noted on TWITTER® earlier today, there is a basic misunderstanding of the current regulatory authority provided to the Cybersecurity and Infrastructure Security Agency (CISA) evidenced in this piece, but the authors do raise some interesting ideas about the need for cybersecurity regulations.
CISA Authority
When CISA was stood up a bit over a year ago, it was not given authority to regulate cybersecurity outside of the federal government, with one minor, indirect exception: the Chemical Facility Anti-Terrorism Standards (CFATS) program and that was only because the existing program was rolled into CISA. CISA was only given ‘regulatory authority’ over cybersecurity programs in Federal government agencies (outside of DOD and the intelligence agencies).
It would appear that the focus of the CyberBrief piece is the regulation of cybersecurity at water treatment facilties (thus their suggested ‘universal security fee per gallon of water’). The Environmental Protection Agency was given oversight of water treatment and wastewater treatment facility security by Congress when DHS was stood up after 9/11. Even then their regulatory authority was limited to being able to require water treatment facilities to conduct a risk assessment.
Actually, I have not been able to find any where that Congress has given any agency of the Federal government specific authority to regulate cybersecurity in an operational environment. Existing cybersecurity (FERC/NERC, CFATS, and MTSA) regulations rely on general security mandates to ‘obviously include’ cybersecurity in facility security or resiliency mandates.
Funding
The authors make an important point that funding is going to have to come from the Federal government (at least in part) if there are going to be any mandates for cybersecurity in operational environments. State and local governments are quick (rightfully so) to scream about unfunded mandates when Congress sets requirements that those smaller government entities (with MUCH SMALLER pocketbooks and statutory budget constraints) will be required to implement. And remember, most water treatment facilities in this country are run by government utilities.
I have not seen the recovery bill that the authors reference in their article so I do not know where the $14 to $40 billion for “funding to update and modernize the aging, and insecure operational technology that sustains our way of life”. If that is just targeted at small water treatment works cybersecurity (and I would be very surprised to see that kind money targeted so specifically), let’s look at what that would mean per treatment facility.
The EPA says that there are “145,000 active public water systems in the United States” and 97% of them (140,650) serve 10,000 or fewer people. If the $40 billion were targeted at just those facilities, it would make over $284K to each facility. That would provide a pretty robust cybersecurity program. Even the $99.5K from dividing up the $14 billion low-end figure would be significant. I suspect, however, that those funds would be targeted at ‘water infrastructure’ not just the cybersecurity for the same. Just replacing aging and leaking water delivery pipes would eat up those funds quite quickly.
But, if we start dividing that money up to support other critical infrastructure, the amount going to each facility starts to drop off dramatically, not to mention the program costs that would probably come out of those totals.
What is needed?
That is a very open-ended question. We need to have a national discussion about what cybersecurity is needed at these water treatment facilities. Do we want the same level of nearly absolute (there is no such thing as absolute security) cybersecurity that we demand from nuclear power plants? That will be very expensive in both capital and security expertise, but it would give us very strong piece of mind that almost no one would be able to attack a water utility’s customers via their drinking water. Or do we just want to ensure that unsafe drinking water does not leave the facility and enter the drinking water distribution system? That would be much less expensive and would require significantly less cybersecurity expertise. I would expect that something approaching the later would be acceptable to most people.
For regulatory purposes, we would have to define what that type of system would look like and how we would expect to measure adequate performance. I would expect that the regulations would define where in the treatment process we would expect a facility to make the necessary realtime measurements of water quality and set forth the minimum standards for reaction to unacceptable quality parameters, and then define the minimum system safety (including cybersecurity for automated systems) standards that would apply to that portion of the treatment process Finally, we would need to put an inspection force into place to ensure that facilities lived up to the expectations outlined in the regulations.
The EPA certainly has the drinking water expertise to
explicate how treatment facilities should be measuring drinking water quality
and responding to out-of-standards test results. It would seem that they would
therefore be designated as the agency responsible for ensuring that those
systems were operating properly without outside malevolent interference. But
Congress must give them the responsibility and the authority to require
drinking water treatment facilities to meet those standards.
No comments:
Post a Comment