The words “cybersecurity” and “water” rarely get mentioned in the same sentence, but a growing digital threat to public water supplies has spurred the U.S. Environmental Protection Agency (EPA) to release a memorandum stressing the need for states to assess cybersecurity risk at drinking water systems.
The EPA noted a recent survey and reports of cyber-attacks determined that many states have yet to adopt basic cybersecurity best practices at public water systems. The new memorandum conveyed EPA”™s interpretation that states must include cybersecurity when they conduct periodic audits of water systems ”” called “sanitary surveys” ”” and highlighted the different approaches for states to fulfill this responsibility.
EPA has also published the guidance entitled “Evaluating Cybersecurity During Public Water Sanitary Surveys” to assist states with building cybersecurity into sanitary surveys. This guidance focuses on options for evaluating and improving the cybersecurity of operational technology used for safe drinking water.
Furthermore, EPA will be offering state agencies additional training on how to implement best practices for cybersecurity and use the available resources. The agency is also providing consultations with subject matter experts and direct technical assistance to water systems to conduct assessments of their cybersecurity practices and plans for closing security gaps.
“Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable,” said EPA Assistant Administrator for Water Radhika Fox. “Cyberattacks have the potential to contaminate drinking water, which threatens public health.”
“Americans deserve to have confidence in their water systems resilience to cyber attackers. The EPA”™s new action requires water systems to implement adequate cybersecurity to provide that confidence,” said Anne Neuberger, deputy national security advisor for cyber and emerging technologies in the Biden administration. “EPA used a flexible approach to enable water systems to craft the most effective ways to protect water services The EPA”™s action is another step in the administration”™s relentless focus on improving the cybersecurity of critical infrastructure by setting minimum cybersecurity measures for owners and operators of the water, pipelines rail other critical services Americans rely on.”
