In July the Department of Homeland Security (DHS) must identify types of infrastructure where a cybersecurity attack could reasonably result in catastrophic regional or national effects to economic security, public health and safety or national security. DHS was directed to come up with the list by President Obama under the February 2013 White House Executive Order on cybersecurity.
Recently AMWA WaterISAC and several utility representatives met with DHS and U.S. EPA to discuss whether water or wastewater infrastructure would meet DHS's criteria: 1) first year total economic consequences greater than $50 billion, or 2) first year total economic consequences greater than $25 billion plus greater than 2,500 prompt fatalities, or 3) severe degradation of national security or defense.
DHS concluded that an attack on water or wastewater sector infrastructure would not likely meet these minimum thresholds. Utility redundancy and recovery options were compelling reasons that meeting these thresholds would be unlikely.
Were DHS to determine water infrastructure met the criteria, DHS would then have determined which particular utilities should be identified and those utilities would have been pressed to voluntarily adopt federally developed cybersecurity practices (see article below on the NIST Cybersecurity Framework), and U.S. EPA would have been required to report annually to the President on whether those utilities had done so.
DHS's assessment will be reviewed and finalized between now and July, but AMWA does not anticipate DHS will changes its position. However, DHS must review the list annually, and it is always possible the criteria could change.