Due to a reported increase in cybersecurity attacks, the EPA issued a memorandum on March 3, 2023, advising public water systems (PWSs) of various approaches to protect themselves from these types of attacks.
The memo stresses the need for states to assess cybersecurity risk at drinking water systems to protect public drinking water. “While some public water systems (PWSs) have taken important steps to improve their cybersecurity, a recent survey and reports of cyber-attacks show that many have not adopted basic cybersecurity best practices and are at risk of cyber-attacks — whether from an individual, criminal collective, or a sophisticated state or state-sponsored actor,” states the memo, which requires states to survey cybersecurity best practices at PWSs.
“Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyber-attacks have the potential to contaminate drinking water, which threatens public health,” said EPA Assistant Administrator for Water Radhika Fox.“EPA is taking action to protect our public water systems by issuing this memorandum requiring states to audit the cybersecurity practices of local water systems.”
The memorandum conveys the EPA’s interpretation that states must include cybersecurity when they conduct periodic audits of water systems (called “sanitary surveys”) and highlights different approaches for states to fulfill this responsibility.
“Cybersecurity represents a substantial and increasing threat to the water sector, given the relative ease of access to critical water treatment systems from the internet. Currently, many water systems do not implement cybersecurity practices. Efforts to improve cybersecurity through voluntary measures have yielded minimal progress to protect the nations vitally important drinking water systems,” an EPA news release says regarding the cybersecurity memo. “Water security planning has been a critical component of EPA and of state efforts to ensure the provision of clean and safe water since the increased threat of terrorism and malevolent attacks after 9/11. Through their sanitary survey programs, states have worked with PWSs to identify and protect against physical security vulnerabilities. PWSs have increasingly relied on the use of electronic systems to operate drinking water systems efficiently. As a result, incidents of malicious cyber activity on PWSs have shut down critical treatment processes, locked up control system networks behind ransomware, and disabled communications used to monitor and control distribution system infrastructure like pumping stations. Including cybersecurity in PWS sanitary surveys, or equivalent alternate programs, is an essential tool to address vulnerabilities and mitigate consequences, which can reduce the risk of a successful cyberattack on a PWS and improve recovery if a cyber incident occurs.”
The EPA is providing technical assistance and resources to assist states and water systems as they work toward implementation of a robust cybersecurity program. The EPA’s “Evaluating Cybersecurity During Public Water Sanitary Surveys” guidance is intended to assist states with building cybersecurity into sanitary surveys. It includes key information on options for evaluating and improving the cybersecurity of operational technology used for safe drinking water.
While this guidance is designed to be used right away, the EPA is also requesting public comment on Sections 4–8 of the guidance and all appendices until May 31, 2023. To submit comments, e-mail wicrd-outreach@epa.gov.
As comments are received, the EPA plans to update its guidance documents on this issue.