EPA Emphasizes Need for Cybersecurity Resilience of Public Water Systems

EPA Emphasizes Need for Cybersecurity Resilience of Public Water Systems

The U.S. Environmental Protection Agency (EPA) recently released a memorandum stressing the need for states to assess cybersecurity risk at drinking water systems to protect our public drinking water. While some public water systems (PWSs) have taken important steps to improve their cybersecurity, a recent survey and reports of cyber-attacks show that many have not adopted basic cybersecurity best practices and are at risk of cyber-attacks — whether from an individual, criminal collective, or a sophisticated state or state-sponsored actor. This memorandum requires states to survey cyber security best practices at PWSs.

“Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyber-attacks have the potential to contaminate drinking water, which threatens public health,” said EPA Assistant Administrator for Water Radhika Fox. “EPA is taking action to protect our public water systems by issuing this memorandum requiring states to audit the cybersecurity practices of local water systems."

"Americans deserve to have confidence in their water systems resilience to cyber attackers. The EPA's new action requires water systems to implement adequate cybersecurity to provide that confidence. EPA used a flexible approach to enable water systems to craft the most effective ways to protect

water services. The EPA's action is another step in the Administration's relentless focus on improving the cybersecurity of critical infrastructure by setting minimum cybersecurity measures for owners and operators of the water, pipelines rail other critical services Americans rely on," said Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies.

The memorandum conveys EPA’s interpretation that states must include cybersecurity when they conduct periodic audits of water systems (called “sanitary surveys”) and highlights different approaches for states to fulfill this responsibility.

EPA is providing technical assistance and resources to assist states and water systems as they work towards implementation of a robust cybersecurity program. EPA’s guidance entitled “Evaluating Cybersecurity During Public Water Sanitary Surveys” is intended to assist states with building cybersecurity into sanitary surveys. It includes key information on options for evaluating and improving the cybersecurity of operational technology used for safe drinking water. While this guidance is designed to be used right away, EPA is also requesting public comment on Sections 4-8 of the guidance and all Appendices until May 31, 2023. To submit comments, please email [email protected]. EPA plans to revise and update this document as appropriate based on public comment and new information.

EPA’s robust technical assistance program has already proven effective in aiding systems with their cybersecurity and EPA looks forward to working with other entities in the future.

“The Minnesota Department of Health Drinking Water Protection program is looking forward to EPA’s release of guidance related to cybersecurity at public water supplies,” said Kim Larsen, Minnesota Department of Health Regional Supervisor. “This guidance will help to support our programs overall mission to protect public health.”

“EPA’s cybersecurity technical assistance program provided a wonderful jumping-off point to work on improving the cybersecurity of the water and sewer systems,” said Amy Rusiecki, Assistant Superintendent of Operations, Town of Amherst Public Works, Massachusetts. “The program armed us with the tools to have the appropriate conversations with the Town’s IT staff and our water/sewer staff to take small steps towards improvement. The roadmap for how to correct the Town’s vulnerabilities is still driving decisions today.”

“With the help of the EPA’s cybersecurity technical assistance program’s free cybersecurity assessments and technical assistance, [we] were able to submit our cybersecurity program to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) with a Security Scorecard of 83 out of 100,” said Martin O. Hawlet, Superintendent, Atlantic Highlands Water Department, New Jersey.

“While cybersecurity can be a bit overwhelming for Operators in the water sector, it is comforting to know that we can engage with EPA’s cybersecurity technical assistance program to assist with a comprehensive assessment of risk and vulnerability for our community’s water system,” said Jason C. Randall, Superintendent, Plymouth Village Water & Sewer, New Hampshire. “The Cyber Action Plan deliverable is now our roadmap to implement recommended best practices, improving our cyber incident preparation, response, and recovery. These cyber actions ultimately protect our assets, employees, and the citizens we serve.”

“Cybersecurity is very important to our water utility. We understand its importance; however, we don't have any employees that are professionally trained to ensure the safety of our network. Thankfully, USEPA offered assistance to our utility at no cost via the Cybersecurity Technical Assistance Program,” said Eric Kiefer, Manager, North Shore Water Commission, Wisconsin. “As a participant of this program, our water utility was able to identify and rank the severity of our vulnerabilities. With targeted improvements, we have significantly reduced our exposure to cybersecurity threats and improved our ability to successfully recover from a disaster.”

To further assist public waters systems and states, EPA will be offering additional training on how to implement best practices for cybersecurity and use the available resources. EPA is also offering consultations with subject matter experts and direct technical assistance to water systems to conduct assessments of their cybersecurity practices and plans for closing security gaps.

Featured

  • Accelerating a Pathway

    There is a new trend touting the transformational qualities of AI’s ability to deliver actionable data and predictive analysis that in many instances, seems to be a bit of an overpromise. The reality is that very few solutions in the cyber-physical security (CPS) space live up to this high expectation with the one exception being the new generation of Physical Identity and Access Management (PIAM) software – herein recategorized as PIAM+. Read Now

  • Protecting Your Zones

    It is game day. You can feel the crowd’s energy. In the parking lot. At the gate. In the stadium. On the concourse. Fans are eager to party. Food and merchandise vendors ready themselves for the rush. Read Now

  • Street Smarts

    The ongoing acceptance of AI and advanced data analytics has allowed surveillance camera technology to shift from being a tactical tool to a strategic business solution. Combining traditional surveillance technology with AI-based data-driven insights can streamline transportation systems, enhance traffic management, improve situational awareness, optimize resource allocation and streamline emergency response procedures. Read Now

  • The Progress of Biometrics

  • Next-Gen AI for Smart Cities

    The future of smart city technology is not being shaped in Silicon Valley — it is taking root in Dubuque, Iowa. With a population of about 60,000, this mid-sized city has become a live testbed for AI-driven traffic management thanks to a unique public-private collaboration led by Milestone Systems. Project Hafnia demonstrates how cities can transform urban mobility and safety through Responsible Technology—without costly infrastructure overhauls. Read Now

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.