According to a release from credit rating firm Fitch Ratings, the U.S. Environmental Protection Agency’s (EPA) requirement that all public water systems incorporate cyber risk and resiliency in their periodic reviews will add an increased regulatory and financial burden that could be even greater for smaller systems and systems with minimal existing cyber infrastructure.
Fitch Ratings says the requirement could have a significant effect on water utilities’ capex budgets, and margins would be pressured if systems are unable or unwilling to pass on the added costs to customers through rate increases.
The EPA’s memorandum, which became effective immediately on March 3, 2023, requires states to incorporate a review of cyber resilience in its regular period audits of public water systems (sanitary surveys). Sanitary surveys identify deficiencies that could affect safe water supply, and the EPA is including cybersecurity as a potential deficiency.
“Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyber-attacks have the potential to contaminate drinking water, which threatens public health,” said EPA Assistant Administrator for Water Radhika Fox. “EPA is taking action to protect our public water systems by issuing this memorandum requiring states to audit the cybersecurity practices of local water systems.”
States may now be required to evaluate cybersecurity practices and controls as part of the regulatory requirement to review public water systems’ equipment and operations to ensure water supply or safety. A utility must address and correct any cybersecurity deficiency identified by the state. Significant deficiencies could include absence of a practice or control or presence of a vulnerability that has a high risk of being exploited. Should deficiencies not be remedied and result in a breach, Fitch would consider the magnitude of the impact on both finances and operations. According to Fitch, such deficiencies may negatively affect the credit agency’s view of management and governance, and potentially result in negative rating action if a breach results in weakened financial metrics or supply disruption.
The Cybersecurity and Infrastructure Security Agency is able to help states with risk assessments, but it is not a dedicated resource and ultimately the responsibility will likely fall on states to interpret cyber resilience and remedies, leading to varying approaches.
Fitch says that given that there was little federal cyber regulation for the sector prior to this memorandum, many utilities will likely have deficiencies cited in sanitary surveys. Water utility operational technology can be quite old and may not be compatible with needed cybersecurity upgrades or software enhancements. We expect water utilities could incur significant costs in the medium term to update systems and upgrade infrastructure to improve cybersecurity.
In the absence of new robust federal appropriation, Fitch says it expects utilities will pass on costs to customers through rate hikes, where feasible.
Smaller utilities with weaker cybersecurity practices and technology may be less able to fully pass on what could be considerable costs, as its customer base could be less able to bear a jump in rates. As a result, margins could suffer, liquidity and leverage could weaken, and negative rating pressure could build.
The EPA points to a few broad resources that are available to help utilities with remediation, but these resources have other funding mandates besides cybersecurity and will only provide some of the resources needed. These include the Drinking Water State Revolving Fund loan fund, EPA’s Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Program, and USDA Rural Utilities Service Water and Environmental Programs loans.
America’s Water Infrastructure Act of 2018 (AWIA) requires water systems serving over 3,300 people to assess the risk and resilience of computer systems, but does not provide for any formal review of utilities. The EPA memo, on the other hand, applies to all public water systems. Assessments and emergency response plans under the AWIA may be used to support states’ cyber resilience assessments.
In April, Missouri, Arkansas and Iowa filed a petition to have the EPA cybersecurity mandates reviewed in the U.S. Court of Appeals for the Eighth Circuit. These states have concerns with the financial burden presented by the new requirement and argue that EPA does not have authority to expand the scope of existing regulations without Congressional action.