Sunday, November 14, 2021

Water Cybersecurity – NERC CIP or Something Else

An interesting blog post by Patrick Miller over on on the topic of using the NERC CIP as a model for cybersecurity regulation of the water treatment/wastewater treatment sector. With his long experience with NERC CIP from a number of different perspectives, Patrick makes a number of important points that should be taken into account in any discussion of how to regulate the water sector. Unfortunately, I think he missed an important question, does cybersecurity really need to be regulated in that sector?

Last February I weighed in on this topic with my post “Call for Cybersecurity Regulations”. I want to take another look at the topic here, from a slightly different perspective, a perspective well familiar to those with experience in the Chemical Facility Anti-Terrorism Standards (CFATS) program, risk-based cybersecurity.

From a regulatory perspective, the federal government has no legitimate interest in insuring that the information services at water treatment facilities are adequately protected from cyberattacks. That is a utility management issue, the purview of State and local utility oversight organizations. Similarly, the EPA is only interested in ensuring that the water leaving the facility (into drinking water distribution systems or back into the wild, depending on the type of treatment plant) meets certain quality standards. As long as output testing controls are adequately protected, the cybersecurity of upstream treatment is not a legitimate federal concern.

So, we do not need a comprehensive set of cybersecurity regulatory controls to protect water treatment facilities from cyberattacks. We need each facility to have a risk-based vulnerability assessment of what controls (manual, analog and digital) at their unique facility are critical to output quality controls and then a properly scoped security plan (physical and digital) to protect those critical controls.

The EPA has taken a poorly crafted crack at the assessment side of the equation, but they are relying on local facility management that is trained and experienced in water treatment engineering to conduct security assessments. And they are just requiring that facilities certify that those assessments have been properly done. Security planning is just an after-thought.

What is needed is an online tool like that used in the CFATS program to submit vulnerability assessment data and relatively formulaic security plans. Water facilities are going to be more similar than chemical facilities, so a water security assessment tool (WSAT) will not need to be as complicated as the CFATS chemical security assessment tool (CSAT).

As I have said before, CFATS is probably a better model to look at rather than something like NERC CIP or the nuclear facility security model.

No comments:

/* Use this with templates/template-twocol.html */