The Environmental Protection Agency (EPA) is making use of existing authority to order state public water systems to improve their computer defenses, with a new set of cybersecurity requirements that will force those with old or nonexistent programs to catch up with the modern threat landscape.
Existing “sanitary surveys” that the public water systems are required to perform will now be updated with checks for cyber items such as vulnerabilities, defense measures and patching. The new cybersecurity requirements are extensive, but it is still possible for some of the smallest water providers (and those that only provide water on a seasonal or tourism-driven basis) to slip through the cracks.
New cybersecurity requirements much needed at smaller utilities, but budget questions remain
A flurry of action by the Biden administration in addressing critical infrastructure has been prompted in no small part by some highly concerning incidents, not the least of which is a string of digital break-ins at public water systems over roughly the last three years. While none of those incidents ultimately ended up in tainted water making it to the public, it wasn’t for lack of trying.
The challenge that many of the country’s public water systems face is that they have not thought much about cybersecurity to date, in no small part because they have little to no budget for it. The utilities that are subject to the new cybersecurity requirements, over 150,000 in total across the country, will have to figure it out with some possible assistance from a new EPA fund and grants that the agency has announced.
The EPA is soliciting public comments on the new directive until May 31, so the final form of the cybersecurity requirements may ultimately change.
Some public water systems to implement cyber defenses for the first time
A certain number of public water systems will undoubtedly have a lot of work on their hands, as some of the smaller ones across the country have never had any kind of cyber defense program prior to this. These organizations will now be expected to have a certain level of security controls in place, to regularly check for vulnerabilities, and to keep on top of a patching schedule among other duties.
These public water systems will have some reference points to begin with, however. Any relevant safety and compliance standard that has been approved by that particular state, such as NIST, may be selected as a self-assessment method for the required surveys. Utilities may also choose a state assessor, a third-party assessor (also approved by the state), or make use of the EPA’s Water Sector Cybersecurity Evaluation Program if they would prefer a capable outside source.
The EPA is also promising guidance that is to be developed and released throughout 2023, as well as training programs located across the nation that combine in-person and remote options. And the newly founded Cybersecurity Technical Assistance Program for the Water Sector will eventually serve as an on-demand resource for questions about the new cybersecurity requirements.
The new requirements will impact most of the country’s water systems, but quite a few will be exempt. Some are too small to fall under the relevant EPA authority that this directive is based on (those that serve under 3,300 people), and some that are considered “non-community” due to serving a transient population of some sort or to only operating during particular seasons each year.