EPA Won’t Force Water Utilities to Audit Their Cybersecurity

The industry pushed back:

Despite the EPA’s willingness to provide training and technical support to help states and public water system organizations implement cybersecurity surveys, the move garnered opposition from both GOP state attorneys and trade groups.

Republican state attorneys that were against the new proposed policies said that the call for new inspections could overwhelm state regulators. The attorney generals of Arkansas, Iowa and Missouri all sued the EPA—claiming the agency had no authority to set these requirements. This led to the EPA’s proposal being temporarily blocked back in June.

So now we have a piece of our critical infrastructure with substandard cybersecurity. This seems like a really bad outcome.

Tags: , , ,

Posted on October 24, 2023 at 7:02 AM34 Comments

Comments

Doug October 24, 2023 7:20 AM

It’s times like these I’m glad my home’s water is supplied by a well and I have a backup generator.

Wannabe techguy October 24, 2023 8:13 AM

Does the EPA have the knowledge to do help?
The Cybersecurity has been substandard.

Winter October 24, 2023 9:19 AM

It is not that the USA have extra clean tap water to begin with.

‘https://www.theguardian.com/us-news/2021/mar/31/americas-tap-water-samples-forever-chemicals

‘https://abcnews.go.com/US/map-ongoing-water-crises-happening-us-now/story?id=89454219

Many of the cities or regions experiencing poor water access or conditions are in predominantly Black or Hispanic communities, according to data from the U.S. Census Bureau.

Uthor October 24, 2023 9:23 AM

Let the market decide. If your water is stopped or poisoned, just sell your house and move to another state.

yet another bruce October 24, 2023 9:40 AM

Did the EPA propose to audit all water companies or was there a size threshold? In some jurisdictions, two neighbors sharing a well are considered a water company. On the other hand, it seems pretty hard to argue that large metropolitan utilities don’t have the resources or the motivation to harden their infrastructure a little.

westparl October 24, 2023 10:27 AM

@Wannabe techguy

… the EPA has no special expertise beyond what’s already available in the private sector; nor are the heavily politicized EPA bureaucrats some special class of selfless humans solely devoted to impartial betterment of American’ lives.

Reflexive faith in the EPA bureaucracy & the Regulatory State is standard Leftish dogma.

Marco October 24, 2023 10:54 AM

It is a bit of a stretch to conclude that water utilities have substandard security simply because they opposed this EPA audit requirement. I work in the industry and many utilities take cybersecurity very seriously. Of course like mostly any sector, more can always be done. The EPA illegally tried to force this requirement on utilities through an “interpretative rule” modifying requirements of periodic “sanitary surveys” that utilities need to conduct under the Safe Drinking Water Act. This was not an appropriate way to establish completely new requirements. One of the trade groups’ comment letters is here: https://www.awwa.org/Portals/0/AWWA/Government/JointAssociationLettertoEPAonCybersecurity20230125.pdf

Winter October 24, 2023 10:56 AM

@westparl

Reflexive faith in the EPA bureaucracy & the Regulatory State is standard Leftish dogma.

All commercial tap water projects have been a total failure.

So what is the Libertarian approach? Bottled water?

‘https://unu.edu/press-release/bottled-water-masks-worlds-failure-supply-safe-water-all

AL October 24, 2023 11:51 AM

“claiming the agency had no authority”
If they don’t have the authority, they don’t have the authority and the problem lies in the legislative branch.

Clive Robinson October 24, 2023 12:11 PM

@ Winter, ALL,

“So what is the Libertarian approach? Bottled water?”

I sincerely hope not.

The reason is plastic particulates from the bottles that end up in the human gullet. From where they can and do end up as a permanents and growing form of non organic build-up.

Some plastics are now known to have adverse effects like being associated with cancer and auto-immune diseases.

But also what happens to these bottles?

The CDC and EPA amoungst other US Agencies have issued guide lines on the amount of water needed per person as a minimum per day and it’s 4 US quarts or ~4 litres.

So between two and eight plastic bottles per person per day.

So say a little over 10,000 bottles per family each year. Which is a lot of plastic wastage going into the environment.

“All commercial tap water projects have been a total failure.”

People living in California can give you some insight on the why. They have had legislation controling how much water a home gets on a daily basis[1].

I’ve been told that it has caused some to fall into “water poverty” where they do not get sufficient water to maintain a clean environment.

It is known that you can if you are carefull use under 2liter of water to shower with (navy shower)., but others with less thoughtful usage can easily use more than 130liters which if you had to carry it is more than 1/8th of a ton, that few people could carry any distance.

But that is just one water use activity… The average was 125USGal which is ~473liter or not far short of half a ton. So a little under 1.7tons a day for an average family dwelling by Californian figures[2].

Now the “commercial price” of bottled water varries, but I’m told 1USD/ltr is not uncommon…

Based on that the 1665ltr/day for a Californian house hold would cost just over six hundred thousand dollars per year…

[1] At times it has been limited to just 80 USGal a day,

https://www.latimes.com/california/story/2022-04-30/can-you-get-by-on-just-80-gallons-of-water-a-day

But the figures behind that suggest usage is not just above 120 USGal/person/day but is increasing significantly. Whilst availability of water has been rather more than decreasing in the past two decades, more so than in the preceading 1200years…

[1] The average size of a US household is dropping and is a little below 3.5 people per home. According to,

https://worldpopulationreview.com/state-rankings/average-family-size-by-state

California has the second highest at 3.52.

Woody Setzer October 24, 2023 12:33 PM

Perhaps the headline should use “can’t” instead of “won’t”, since it looks like the Eighth Circuit issued a stay.

Winter October 24, 2023 1:16 PM

@Clive

The reason is plastic particulates from the bottles that end up in the human gullet.

An opportunity for investors in medical facilities and drug companies.

But also what happens to these bottles?

I suspect consumers will have to pay for waste disposal and garbage collection service. Or more likely the solution you see in, eg, Indonesia and the Philippines where the landscape and river beds are just layers of plastic waste

The average was 125USGal which is ~473liter or not far short of half a ton.

You do not need clean water tho wash, just to drink and cook. California has an absolute water shortage because they specialise in growing water intensive crops [1]. Other places have enough water, they just do not succeed in delivering it clean enough to end users. But that is also a political choice.

Now the “commercial price” of bottled water varries, but I’m told 1USD/ltr is not uncommon…

The price of tap water is ~2 euros per M^3 or 0.2% of bottled water.

[1] ‘https://www.pressdemocrat.com/article/specialsections/these-are-the-california-crops-that-use-the-most-water/

kurker October 24, 2023 3:33 PM

@Clive Robinson, ALL
re: water use/need

80 US gallons is a splash over 300 litres, per person, per day. 40 years ago when the hopeful first world city of Auckland, NZ, was looking for new sources of water for a growing population. average per capita daily consumption was 140 litres. UN Refugee Agency recommwnds for a civilized lifestyle 70 litres minimum. Supplies in Gaza are currently estimated as 3 (three) litres per person per day.

Nombre NoImportante October 24, 2023 4:24 PM

As someone who got his feet wet in this industry at the beginning of my career, went to the private sector, then contracting, then is back in this field. I was very disappointed to see the EPA back down on this. I don’t like the method the EPA dictated for this to be carried out. But the thinking was correct that this needs to happen. There is a very wide divide in this field, of organizations that do take a proactive approach on one end, to those that lack funding for staff/experience/basic equipment and service contracts on the other. Some form of regulatory requirements are NEEDED. And your right this is a completely bad outcome for the industry, and ultimately residents.

Stuart October 24, 2023 5:08 PM

to Winter:

Private water utility companies existed in the United States for 250 years and thousands still thrive today … serving more than 75 million Americans.

Widespread, bipartisan support exists for the role of private water in improving infrastructure and delivering safe drinking water.
The U.S. Conference of Mayors Urban Water Council, the National League of Cities, the Brookings Institution, and the White House have said that private water companies provide proven and important options for municipalities facing urgent water infrastructure and operational needs.
Each year, private water companies invest billions of dollars to improve water systems, conduct research, and develop new technologies.

A water system run by the private sector is generally more efficient and cost effective than government run systems.
The largest private water utilities have fewer EPA violations.

Clive Robinson October 24, 2023 5:50 PM

@ Nombre NoImportante, ALL,

“As someone who got his feet wet in this industry at the beginning of my career”

You are not clear which industry ICTsec, Water or both, and what you say to my eye is applicable to both.

Not that it realy matters as both have changed significantly in the past 40 years as I can attest.

You give a brief description of ills of the water industry or more precisely ICTsec within it.

Rather than have me give my normal spiel on how the expectations of unknowledgable or don’t care employers managers and those doing the work can not coincide… Perhaps the words of a prievious frequenter of this blog from a month or three back, who has a bit of fame in his own right. @Dirk Praet has written,

https://www.linkedin.com/pulse/consultant-swiss-army-knife-dirk-praet

It’s worth a read because it explains a problem that has made a gulf of misunderstanding that does neither side any favours.

@ Dirk Praet,

If you are still “lurking” you might want to pop up and say Hi, I suspect a few others of “the usual suspects” are still lurking as well.

Anon E. Moose October 24, 2023 6:15 PM

All water sources should be filtered. Nobody is perfect and mistakes happen. Private wells, shared wells, and water districts can all be contaminated at any time and without ample notification. Ask anyone that has had a well become salty, contaminated by fracking or become contaminated by Arsenic or Cryptosporidium into the water supply. When we lived in town we noticed the water began to smell like a swimming pool. A week later we were notified the water district put to much chlorine in the water by 10 times the normal amount. It was making people ill. We had a filter that filtered out the chlorine.

Dave October 24, 2023 7:48 PM

So now we have a piece of our critical infrastructure with substandard cybersecurity.

Don’t worry, after The Event there’ll be a ton of hastily-assembled legislation pushed through to try and make sure it doesn’t happen again. Most of which, like the 9/11 legislation, would have done little to prevent The Event, but maybe some of it will involve strengthening critical infrastructure cybersecurity measures.

Dave October 24, 2023 7:57 PM

It’s not just agricultural use that’s a problem, the single largest use of water in the US by households is outdoors, presumably for watering gardens. From the figures on that EPA page, total use is 38,000 litres a month for a four-person household.

Winter October 25, 2023 1:23 AM

@Stuart

A water system run by the private sector is generally more efficient and cost effective than government run systems.

That is not the general experience:

Some Facts and Figures
‘https://www.foodandwaterwatch.org/2015/08/02/water-privatization-facts-and-figures/

‘https://www.waternewseurope.com/france-builds-on-its-public-water-supply-trend-with-lyon-and-bordeaux-ditching-privatisation/

Stuart October 25, 2023 6:14 AM

@Winter

… a very weak dodge from your original smug mocking of Private Sector water systems, in which you boldly stated:

“All commercial tap water projects have been a total failure.

So what is the Libertarian approach? Bottled water? ”

====

Winter October 25, 2023 7:12 AM

@Stuart

a very weak dodge from your original smug mocking of Private Sector water systems

I might have been influenced by the experiences world wide [1] and personal experiencing it in Indonesia [2], which are much worse than the linked article suggests, the piped water is undrinkable in most, if not all, of Indonesia.

But if you have good experiences in the US, I’m to hear happy that things are not as bad as I feared.

[1] ‘https://amp.theguardian.com/global-development/2015/jan/30/water-privatisation-worldwide-failure-lagos-world-bank

[2]’https://nextwatergovernance.net/blog/towards-100-years-of-tap-water-in-jakarta

Stuart October 25, 2023 9:55 AM

@Winter

….Oh, ‘experiences’ are what really count /?

just accept that your original statement here was just empty posturing

Clive Robinson October 25, 2023 10:03 AM

@ Stuart, Winter, ALL,

Re : Free Market Water Supply Systems.

“A water system run by the private sector is generally more efficient and cost effective than government run systems.”

Not in my experience and I’ve worked in the water industry on the technical side of maintainance and re-engineering. So I have seen it as an insider and as a “no choice consumer”.

Why do I say “no choice consumer”, well water supply and sewage removal like all utilities is effectively a monopoly in any given area. Even when you try seperating the water from the actual supply infrastructure. You still end up with a monopoly for the infrastructure charges and at best a cartel for the supply of water.

The reality is you can not pick and chose who’s supplied water you get to drink. The laws of physics and transportation costs decide that. So you get the water from the supplier that has the highest preasure at the pipe that enters your property and as that preasure does not come for free and gets more expensive with distance that usually means the closest supplier no matter how bad the water is (see news stories with regards Flint Michigan to see one of those that have been caught “lead handed” under Governor Rick Snyder (R) who amongst many others were charged with quite serious crimes including twelve counts of killing people).

The “efficiency” you claim is without doubt illusory and is usually based on “short term cost savings” that actually have significant long term expenses. In some cases it’s easy to see why, such as defering essential maintainence and laying-off those who actually have the rare skill sets to manage infrastructure safely.

In the case of Flint they had long long avoided replacing lead pipe with faulty joints. Failure to add sufficient chemicals to the supply caused significant leaching of lead and build up of organic contaminates including significant pathogens.

The fact they are replacing the lead pipes with copper does not realy solve the issue. Because as with lead, copper can leach into water with the wrong chemical content and thus just as with lead cause various metabolic syndromes and toxicological disadvantages all the way up to and including death that is often protracted and significantly debilitating.

The reason Flint happened was the “business practices employed” thus it makes little difference if the water supply is run by a municipality or a private entity with or without share holders.

If you want to see other aspects of how water companies fail look at England, where in the 1980’s “Free Market thinking” was used to “sell-off” the existing water supply organisations. It has with little doubt turned over the past four or so decades into an unmitigated disaster and will take probably upto 10 human grnerations to just get back to a stable safe state, if it ever does, which is very unlikely as long as the dangerous “business practices” continue to be used, which politically and economically appears extreamly likely.

Winter October 25, 2023 10:17 AM

@Stuart

….Oh, ‘experiences’ are what really count /?

Sitting in a very plush hotel in Indonesia’s second city and having to use bottled water because the stuff from the hotel’s tap looks like pond water [1], yeah that drives the message home.

But the other links I added gave the message a more quantitative foundation. The UK is far from exceptional in this respect. Even your description of the situation in the US does not match the numbers I linked to.

[1] We were warned that the water was more dangerous than mere pond water.

Nombre NoImportante October 25, 2023 12:08 PM

@Clive

The second paragraph of that article is why I left consulting. I saw exactly that happening.

Unfortunately, in the Water/Wastewater side of things, they don’t know what they need, which was why they were requesting us in the first place. A large amount of these orgs do not have IT/OT staff that know the NIST framework, or IEC 62443. Also unfortunately I saw the same on the Manufacturing side of things.

Until these are required by regulations, those orgs won’t adopt them. Never cared for ICTsec label. Always considered myself IT/OT Sec as I was responsible for both sides.

bruno October 26, 2023 7:02 PM

“The attorney generals of Arkansas, Iowa and Missouri all sued the EPA…”

Attorneys General

blah November 1, 2023 2:13 PM

“So now we have a piece of our critical infrastructure with substandard cybersecurity.”

But capitalism prioritizes immediate profits ahead of immediate costs. And security review costs money. But if we just wait, the Russian hackers will find the holes for us.

jeremy November 1, 2023 2:16 PM

@Uthor
Let the market decide. If your water is stopped or poisoned, just sell your house and move to another state.

Disclosure laws might require explaining to the buyer the water situation. Good luck selling in that case.

Clive Robinson November 1, 2023 6:41 PM

@ blah,

Re : Grab the money and run.

“But capitalism prioritizes immediate profits ahead of immediate costs.”

Actually no “capitalism” in the broad sense does not, it’s about encoraging growth and taking a reward for that which you put towards future growth.

The various “neo-” types who have mantras such as “Don’t leave money on the table/floor” are not actually “capitalists” in that sense, though they do pretend and pay others to “paont them in such a flag”. What they actually are is “self entitled” and “greedy” and hell bent on accumumulation no matter what the cost / harms are to others… With ironically due actually to their very short term views they hurt themselves as well.

For instance an actual capatilist realises that they do not stand alone, they are dependent on others. Thus they implicitly know that,

“Rising waters lift all well found vessels”

Thus they will pay towards “social good” as they benifit from it more than it costs them.

At the crudest view, your workers are your customers, if you make them unemployed who buys your goods?

Less obviously if the population is unhealthy because health care is significantly over priced due to profit gouging, then they become not just sick but a nexus for disease. The pathogens see no difference between wealthy and poor, just the next host to use. So the pathogens will spread to the wealthy and kill them as well. Keep the population sufficiently healthy and virulant disease has less of a “toe hold” to spread rapidly.

Likewise roads, they are expensive to build especially if made to a sufficient standard, which is why private roads are generally in bad repair or of shoddy design that is a forever cost in annual maintainence. If you are a manufacturer with “goods to ship” and “workers to get on site” then it’s in your own self interest to have the roads not just well built but well maintained, to minimise adverse effects outside your gates.

I could go on, with a very long list, and actual capitalists are aware of these “benificial costs”, the “neo-” types think they are smart by avoiding them… But turn and look around much of the USA, and ask, “Where is the manufacturing?”, “Where is “the customer base?” and similar questions.

Those behind the losses are not building “growth” but “recession”, therefore they are not capitalists in the traditional meaning, just at best grubby profiters greedily grabing and running, and leaving devistation on their wake. They think they are smart, but Finacial Crises FC1,2,3,4 leading into C19 etc should tell you the truth of the matter…

JonKnowsNothing November 1, 2023 10:35 PM

@ blah, @Clive, All

re: not building “growth” but “recession”

Traditional Economics 101-102 points to the need for Competition In Markets for a healthy economy and that without competition economies skew badly. It doesn’t really matter what the economic structure starts out as; without Free Entry To Market the entire thing begins to tilt and then plant.

Since 1970s the economic view began to tilt to an extreme. (1)

The first hallmark of the shift is the decreasing economic competition in all sectors (2) and the increase in barriers to entry to any given market (3). The concentration of economic capital and activity, done under the banner of increased productivity, leads to practical and virtual monopolies.

In the USA, these mega-monopolies are considered good things. Every business wants to become one.

The second hallmark is “pulling up the ladder behind them” but passing laws, getting rulings, legislation and impeding any competition by whatever means legal or otherwise.

Having “knowledge” of a business is not required for most businesses. Being good at what you do or service you provide is what keeps you in business. All you need is some capital to get started. (Getting capital is a different but related issue).

Consider Barriers To Entry

  • College Degree
  • Medical, Dental, Legal Degree
  • Suitable Agricultural Land
  • Planning and other approvals
  • Access to Markets (you v Google)
  • Access to Resources (you v China)

The list is almost endless on things you cannot get access to or get permits for.

  • Cannot run business out of residential housing
  • Cannot have a rental cabin park without the proper zoning
  • Cannot open a farmers market without a County and City Health Department Certificate

It isn’t that people do not do things things but they cannot compete in an open market.

Once the ladder is pulled up, competition drops.

All the so-called cost savings has been at the expense of the previously employed. There is very little in the way of New Thinking, it’s a lot of MeToo. But primarily the MeToo is all from the same or a few companies.

Even when municipalities request contract bids for a service, the proposal includes a lot of “must haves” that reduce the number of potential bidders to one or a few. It’s a lot like setting resume blockers: recent graduate with 10yrs experience.

You might be able to buy a used trash pickup truck and start a business but do not think you will pick up municipal residential trash with it. That contract belongs to a big corporation.

Nor can you just volunteer to go around removing graffiti and repainting the walls. That’s under exclusive contract too.

===

1)
htt ps://en.wikiped ia.org/wiki/Keynesian_economics

ht tps://en.wikipedi a.org/wiki/Friedrich_Hayek

2)
ht tps://arstechn ica.com/tech-policy/2023/11/14-big-landlords-used-software-to-collude-on-rent-prices-dc-lawsuit-says/

  • 14 of the city’s largest landlord firms, claiming they entered into agreements with a property management software firm to keep rent prices high
  • 30 percent of buildings with five or more units … 60 percent of 50-unit-plus buildings. Across a wider … area, more than 90 percent of units in large buildings

3)
ht tps://en.wikipedia .o rg/wiki/Browning-Ferris_Industries

  • opened its first landfill in 1968. The company soon became the first waste hauler on the New York Stock Exchange, after purchasing the Browning-Ferris Machinery Company, and changing their name to Browning-Ferris Industries. BFI was an early competitor to Waste Management, Inc. BFI and Waste Management both began to buy the locally owned companies and create national brands. Many of these companies had failed in the early 1970s after failing to adapt to new environmental regulations.
  • By 1988, BFI was the second largest publicly company in the waste management industry, serving more than 4.5 million residential customers. By 1992, it had 26,000 employees, operated in ten countries, and reported sales of 3 billion dollars. The company owned more than 90 landfills.

JonKnowsNothing November 1, 2023 11:12 PM

@Doug

re: It’s times like these I’m glad my home’s water is supplied by a well and I have a backup generator.

Don’t be too sure about that. There are a lot of farms, cities and homes where the wells have gone dry or been contaminated.

In California, you need a permit for a well. The county keeps track of where the wells are located and specifics about the well. There are not-so-subtle hints that “they” are interested in putting a meter on your well and charge you for your pump out.

afaik “they” have not yet sorted out the finer details; such as repaying your cost for drilling the well, nor what to do if you don’t pay your pump out charge.

In the Western USA, water is a very big deal. The cities do not have enough to fill their swimming pools and the farmers do not have enough to water their crops. Pollution creep is a very big problem.

===

Contains a sampler list of nematocides used.

NEMATICIDES
DAVID J. CHITWOOD
USDA-ARS
Beltsville, Maryland

ht tps://www.ars.usda.gov/ARSUserFiles/990/Chitwood2003NematicideReview.pdf

1,2-Dibromo-3-Chloropropane

Liquid formulations of this fumigant with substan-
tial nematode-specific activity were once popular. The
compound was notable because of its usefulness in post-
plant applications. The discovery that over one-third of
the male workers at a DBCP manufacturing plant in Cal-
ifornia were sterile led to the immediate 1977 prohibition
of its use in the United States, except for usage in pineap-
ple production (14). Sterility problems were also reported
among some DBCP applicators (14). All uses were prohib-
ited in the late 1980s. DBCP is classified as a possible or
probable human carcinogen.

ht tps://en.wikipe dia. o rg/wiki/1,2-dibromo-3-chloropropane

This was heavily used in Central California. Nearly every town in the region has contaminated wells from seepage and constantly have to drill new wells to keep ahead of the pollution path.

Ed Carp November 15, 2023 10:45 PM

“Republican state attorneys that were against the new proposed policies said that the call for new inspections could overwhelm state regulators. The attorney generals of Arkansas, Iowa and Missouri all sued the EPA — claiming the agency had no authority to set these requirements. This led to the EPA’s proposal being temporarily blocked back in June.”

And rightfully so. The Supreme Court has repeatedly ruled that Federal agencies have no authority to, in essence, make law – that’s the job of Congress.

Roger Caslow December 5, 2023 3:01 PM

Regulation without funding was not the solution. EPA is the Sector Risk Management Agency for the Water and Wastewater Systems Sector, not CISA BTW. EPA had to stand up completely different divisions to help support this most critical infrastructure. New talent that competes with the already drained pool of expertise. This was nothing more than a UFR against small and medium W/WS utilities, the one who need help the most.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.