Aerial view of wastewater treatment plant showing cybersecurity requirements for public water systems

US Public Water Systems Subject to New Cybersecurity Requirements as EPA Publishes Mandate

The nation’s critical infrastructure has largely been improved by fiat under the Biden administration, with executive orders targeted primarily at raising cybersecurity requirements for these companies. Public water systems are the next sector up, though this time it is the Environmental Protection Agency (EPA) using its power to require states to address public health issues.

The EPA memorandum frames vulnerabilities in public water systems as a potential point of contamination, and thus a public health threat under its jurisdiction. The new cybersecurity requirements are part of an order to include new elements in periodic “sanitary surveys,” something that was directed after an extensive EPA study found that numerous public water systems across the country do not have cybersecurity programs in place.

Following pipeline and power orders, public water systems pushed to be next to modernize defenses

The EPA finds that in spite of increasing targeting by threat actors, public water systems often either do not have an adequate cybersecurity program or do not have one at all. These utilities will now have to perform periodic audits for “significant deficiencies” such as known vulnerabilities or lack of security controls.

The agency is giving public water systems an assortment of options for meeting these new cybersecurity requirements, however. The utilities may self-assess using a number of both government and private sector standards, such as NIST or ISO, so long as that option is approved by that particular state. Appropriately qualified third parties (also approved by the state) can be brought in, or the utility can turn to the EPA’s Water Sector Cybersecurity Evaluation Program.

Additionally, the state can opt to send in its own surveyors. And in the case of states that are ahead of the curve and already conducting such surveys via an emergency agency or something similar, that body can continue to conduct inspections. States are also invested with the ability to order follow-on risk mitigation plans for public water systems when deficiencies are found, which would then be reviewed during sanitary surveys. The EPA is offering technical assistance to states in terms of developing and meeting cybersecurity requirements.

The EPA’s most basic level of assistance is a checklist of cybersecurity requirements that public water systems can use as a foundation for their surveys, based on CISA’s Cross-Sector Cybersecurity Performance Goals. However, the agency is also promising to develop further guidance, and later in 2023 will begin to offer training in sanitary surveys for both states and public water systems (in a mix of both in-person and recorded lessons made available nationally).

The EPA is also establishing the Cybersecurity Technical Assistance Program for the Water Sector, which will be available to answer questions for states and public water systems, and provide consultations with a subject matter expert versed in the industry’s unique cybersecurity requirements.

These new cybersecurity requirements will not impact all public water systems, however. The authority for this action is based on the America’s Water Infrastructure Act of 2018, which exempts community water systems that serve under 3,300 people. Additionally, some 140,000 non-community water systems (primarily systems that serve areas seasonally or that only serve temporary travelers, such as campgrounds) are also not covered by these terms.

Critical infrastructure companies prioritized for cybersecurity requirements after 2021 incidents

Rapid action on cybersecurity requirements (at least by federal government standards) has followed the 2021 Colonial Pipeline attack, which temporarily disrupted gasoline supplies to a number of states. Several public water systems have also seen incursions in recent years, though these may have been the work of disgruntled former employees rather than criminal gangs. The hacks on water systems have not resulted in any successful tampering as of yet, but one attacker attempted to raise the lye content of the water to dangerous levels before being detected.

There are about 153,000 public water systems in total that will be subject to these new regulations, but many will likely have difficulty implementing cybersecurity requirements due to serving small populations and having no budget for such things. The EPA has announced several forms of financial aid, including a general fund it will administer and some grant programs.

The new cybersecurity requirements may not be enforced for some time, as the agency is requesting public comment on the guidance until May 31 of this year and has said that it plans to issue a revised edition after this period. It is also possible that the agency’s authority in this area could be challenged, though it has clear purview over water and waste safety and is extending a long-standing ability to order similar surveys of physical risks to systems.

Brendan Peter, Vice President of Global Government Affairs at SecurityScorecard, additionally notes that there is likely still a hill to climb in ensuring that companies are adhering to these requirements: “The memo published by the EPA that informs States of new requirements for the cybersecurity of drinking water systems is a step in the right direction when it comes to implementing controls to protect United States’ critical infrastructure.”

“The release from the EPA hopes to implement policies that will mitigate the risks of similar attacks. However, like any policy-based solution is up to the individual companies within the industry to implement and adhere to them in order for it to work,” added Peter.

Pete Lund, VP of Products – OT Security at OPSWAT, offers some suggestions for securing the most cash-strapped small public water systems that will likely struggle the most with any new cybersecurity requirements: “The challenge with improving security within Water and Wastewater Systems is that they are typically smaller municipalities with stretched resources, resulting in lower cybersecurity maturity than other industries. Compliance with industry requirements is a good first step, but so is starting with the basics. These organizations can start by assessing their people, process and what the impacts to operations would be if a cyberattack hit. Look at threat vectors and implement solutions that reduce the likelihood of an attack having an impact on those operations. Steps like securing remote access and removable media can greatly help increase resiliency.”