Obama Administration Issues New Cyber Order and New Resilience Directive

On February 12th President Obama issued a new Executive Order (still unnumbered) to create a voluntary process for better protecting critical infrastructures from cyber attacks. Under the Order, the private entities within the telecommunications, energy, and transportation sectors are strongly and specifically encouraged to adopt voluntary standards to defeat attacks and diminish vulnerabilities.  At present, only the nuclear and electric sectors have mandatory and enforceable cyber security standards.

Although not specifically identified, water and wastewater utilities will likely be invited to participate in some form of voluntary reporting scheme. Those utilities identified as ones where “…a cyber security incident could reasonably result in catastrophic regional or national effect on public health or safety, economic security, or national security” would likely move into a separate initiative where select threat and vulnerability information would be collected and exchanged with appropriate Federal agencies.  Most utilities would follow EPA’s lead as the Water Sector Specific Agency to “consider prioritized actions to mitigate cyber risks for critical infrastructure consistent with their authorities.”

Separately, but on the same date, the Administration issued Presidential Policy Directive 21 (PPD-21).  This directive establishes national policy on critical infrastructure security and resilience.  It refines and clarifies the critical infrastructure related functions, roles, and responsibilities across the Federal government as well as enhances overall coordination and collaboration.  PPD-21 identifies three strategic imperatives that will drive the Federal approach to strengthen critical infrastructure security and resilience:

1)   Refine and clarify functional relationships across the Federal government;

2)   Enable effective information exchange by identifying baseline data and systems requirements; and

3)   Implement an integration and analysis function to inform planning and operations decisions regarding critical infrastructure.

The Directive goes on to say that there must be national unity of effort for this strategy to be successful.  Such an effort “must include expertise and day-to-day engagement from the Sector Specific Agencies (SSAs) as well as the specialized or support capabilities from other Federal departments and agencies, and strong collaboration with critical infrastructure owners and operators and SLTT (state, local, territorial, and tribal) [emphasis added] entities.”  For EPA, as the Water Sector SSA, this would mean that they would need to collaborate more closely with the water community as well as state primacy agencies.  They would also be called on to serve as the Federal interface for prioritization of water sector activities; provide, support, or facilitate technical assistance and consultations for the Water Sector to identify vulnerabilities and help mitigate incidents, as appropriate; and provide annual sector-specific critical infrastructure information.

The Directive also includes specific timeframes for a range of Federal activities to be undertaken.  For example, DHS has 120 days to identify and describe the functional relationships across Federal agencies.  When complete, this description is expected to serve as a roadmap for critical infrastructure owners and operators and SLTT entities to navigate the Federal governments functions and primary points of contact for security and resilience.  DHS is also challenged to conduct an analysis of the existing public-private partnership model for each sector and recommend improvements within 150 days.  Within 240 days, DHS is to provide a ‘successor’ to the current National Infrastructure Protection Plan.  This new plan is required to include a risk management framework, methods to prioritize critical infrastructure, appropriate protocols to synchronize communications within the Federal government, and a metrics and analysis process to measure the Nation’s ability to manage and reduce risks to critical infrastructure.

PPD-21 has clear implications for state drinking water programs as new directions, strategies, and recommendations are being developed to better enhance water and wastewater infrastructure.  ASDWA will work with our EPA and Water Sector partners to ensure that state perspectives are considered.