EPA asks water utilities to include cybersecurity practices for audits


Cybersecurity protocols must be integrated into audits for U.S. water utilities, says the Environmental Protection Agency (EPA), as it works to clarify definitions and required actions to close cybersecurity gaps that leave infrastructure vulnerable.

The periodic audits, often referred to as sanitary surveys, are part of state regulatory requirements to evaluate the adequacy of facilities equipment, operation, and maintenance for producing and distributing safe drinking water. The EPA’s latest interpretation clarifies that the regulatory requirement to review the “equipment” and “operation” must include an audit of cybersecurity practices and controls needed to maintain the integrity and continued functioning of a facility’s operational technology.

If the state determines that a cybersecurity deficiency identified during a sanitary survey is significant, then the state will direct the facility to upgrade its protections, the EPA says.

“Americans deserve to have confidence in their water systems’ resilience to cyber attackers,” announced Anne Neuberger, deputy national security advisor for cyber and emerging technologies on the National Security Council. “The EPA’s new action requires water systems to implement adequate cybersecurity to provide that confidence.”

Subscribe to our Newsletter!

The latest environmental engineering news direct to your inbox. You can unsubscribe at any time.

The clarification comes on the heels of new guidance and a facility survey from the EPA. In the survey, the agency says it found that many U.S. water facilities have “failed to adopt basic cybersecurity best practices and consequently are at high risk of being victimized by a cyber-attack — whether from an individual, criminal collective, or a sophisticated state or state sponsored actor.”

Notably, the EPA already interprets its sanitary survey regulations to require a review of Supervisory Control and Data Acquisition (SCADA) systems, which if attacked, could disrupt the delivery of, or even contaminate, drinking water.

In Canada, cybersecurity for infrastructure is controlled by the Canadian Centre for Cyber Security, or the Cyber Centre. Last spring, the centre issued security considerations for critical infrastructure. In November, Public Safety Canada introduced version two of The Canadian Cyber Security Tool, which operates a self-assessment for facilities. It “provides the participant with an overview of their organization’s operational resilience and cyber security posture, as well as comparative results across their sector,” says Public Safety Canada.

While Canadian public reporting of cyber-incidents are rare, last week the Department of National Defence confirmed a ransomware attack on a major engineering firm involved with some Canadian military facilities.

In its new guidance on the issue of cybersecurity, the EPA has also released Evaluating Cybersecurity in PWS Sanitary Surveys, for public comment.

Later this year, the EPA will offer training for states and water utilities on evaluating cybersecurity in sanitary surveys. Like the guidance, the training will cover approaches to evaluate cybersecurity practices at the facility, including identifying gaps and potential significant deficiencies, actions that could be employed to address cybersecurity gaps, information protection, available technical assistance from EPA and other public and private-sector organizations, and potential funding.

The EPA has also set up a Cybersecurity Technical Assistance Program for the water sector. Under this program, states and facilities can submit questions or request to consult with a subject matter expert regarding cybersecurity required for sanitary surveys.

Another new resource offered to water utilities is a cybersecurity checklist. It offers tips such as creating sufficiently complex system passwords; requiring multi-factor authentication wherever possible; using unique and separate credentials for users to access OT and IT networks; prohibiting the connection of unauthorized hardware; identifying one role/position/title responsible for cybersecurity within the facility; and creating a written procedure for reporting cybersecurity incidents, including how (e.g., phone call, Internet submission) and to whom (e.g., FBI or other law enforcement, CISA, state regulators, WaterISAC, cyber insurance provider).


Please enter your comment!
Please enter your name here