The U.S. EPA has a released a memorandum requiring states to survey cybersecurity best practices at public water systems.
The agency says that a recent survey and reports of cyber-attacks show that many public water systems have not adopted basic cybersecurity best practices and are at risk of cyberattacks.
“Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyber-attacks have the potential to contaminate drinking water, which threatens public health,” said EPA Assistant Administrator for Water Radhika Fox. “EPA is taking action to protect our public water systems by issuing this memorandum requiring states to audit the cybersecurity practices of local water systems."
EPA says that states must include cybersecurity when they conduct periodic audits of water systems (called “sanitary surveys”). The memorandum highlights different approaches for states to fulfill this responsibility.
EPA is also providing technical assistance and resources to assist states and water systems as they work toward implementation of a robust cybersecurity program.
EPA’s guidance, titled “Evaluating Cybersecurity During Public Water Sanitary Surveys” is intended to assist states with building cybersecurity into sanitary surveys. It includes key information on options for evaluating and improving the cybersecurity of operational technology used for safe drinking water.
The agency is also requesting public comment on Sections 4-8 of the guidance and all Appendices until May 31, 2023. Comments can be submitted by email to [email protected]. EPA plans to revise and update the document based on public comment and new information.
EPA’s technical assistance program has already proven effective in aiding systems with their cybersecurity and EPA says that it looks forward to working with other entities in the future.
“EPA’s cybersecurity technical assistance program provided a wonderful jumping-off point to work on improving the cybersecurity of the water and sewer systems,” said Amy Rusiecki, Assistant Superintendent of Operations, Town of Amherst Public Works, Massachusetts. “The program armed us with the tools to have the appropriate conversations with the Town’s IT staff and our water/sewer staff to take small steps toward improvement. The roadmap for how to correct the Town’s vulnerabilities is still driving decisions today.”
The agency says that it will be offering additional training on how to implement best practices for cybersecurity and use the available resources. EPA is also offering consultations with subject matter experts and direct technical assistance to water systems to conduct assessments of their cybersecurity practices and plans for closing security gaps.