From NextGov :
During the rollout in January  of a voluntary initiative to secure industrial control systems in the water sector, for example, senior administration officials said the Environmental Protection Agency has limited authorities to impose basic cybersecurity requirements on operators and that the White House is working with the agency to propose legislation that would give it powers similar to TSAs.
Not everyone agrees with that assessment. During an event  the R Street Institute recently hosted on water-sector cybersecurity, Mark Montgomery, who served as executive director of the congressionally mandated Cyberspace Solarium Commission, said “EPA has tons of regulatory authority” it could use for cybersecurity.
Montgomery, who is now a senior fellow at the Foundation for Defense of Democracies and director of its center on cyber and technology innovation, said the issue is one of insufficient resources, adding it wasn’t too long ago that TSA was in a similar situation with only a handful of employees working on pipeline cybersecurity .
In a report FDD published on the issue last fall, Montgomery recommended a temporary solution as EPA builds up its cybersecurity bench.
- “NextGov”: https://www.nextgov.com/cybersecurity/2022/07/official-white-house-meet-rail-industry-issuing-cybersecurity-rules/374794/
- “rollout in January”: https://www.nextgov.com/cybersecurity/2022/01/epa-leading-white-house-effort-secure-water-sector-against-cyberattacks/361241/
- “event”: https://www.rstreet.org/event/deep-dive-water-cybersecurity/
- “only a handful of employees working on pipeline cybersecurity”: https://www.gao.gov/products/gao-19-542t