The Environmental Protection Agency (EPA) released a new memo today that calls on states to bolster their cybersecurity practices in order to mitigate the risk of cyberattacks and protect U.S. public drinking water.
While some public water systems (PWSs) have taken steps to improve their cyber posture, the EPA said a recent survey found that many have not adopted cyber best practices and are at risk of attack.
The memo requires states to survey cyber best practices at PWSs and to include cybersecurity when they conduct periodic audits of water systems – known as “sanitary surveys.”
“Americans deserve to have confidence in their water systems resilience to cyber attackers. The EPA’s new action requires water systems to implement adequate cybersecurity to provide that confidence,” Anne Neuberger, the White House’s deputy national security advisor for cyber and emerging technologies, said in a statement.
“EPA used a flexible approach to enable water systems to craft the most effective ways to protect water services,” she continued. “The EPA’s action is another step in the administration’s relentless focus on improving the cybersecurity of critical infrastructure by setting minimum cybersecurity measures for owners and operators of the water, pipelines, rail, [and] other critical services Americans rely on.”
In a call with reporters on Thursday afternoon, EPA Assistant Administrator Radhika Fox explained that cyber threats in the water sector are “not a hypothetical,” and that they have already seen these types of cyberattacks in states such as California, Florida, Kansas, Maine, and Nevada.
One of the most prominent attacks that prompted the EPA to take action occurred in Kansas, according to David Travers, the director of the EPA’s Water Infrastructure and Cyber Resilience Division.
Travers explained that after an individual was fired from a water facility, his login credentials were not revoked. The individual was then able to access the operational technology of the system remotely, and “effectively take the treatment process offline.”
“That is an example of a very basic access control measure that was not taken,” Travers told reporters. “We also see situations within the water sector where patching of software has not been done … so, it’s basic cybersecurity practices that we recommend.”
Another notable attack occurred in February 2021, when cyber criminals attempted to poison the water supply at an Oldsmar, Fla., water treatment facility.
“Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyberattacks have the potential to contaminate drinking water, which threatens public health,” Fox said. “EPA is taking action to protect our public water systems by issuing this memorandum requiring states to audit the cybersecurity practices of local water systems.”
EPA is providing technical assistance and resources to assist states and water systems as they work to implement stronger cybersecurity programs. The memo includes key information to assist states with building cyber into their sanitary surveys – specific to the operational technology used for safe drinking water.
While the EPA wants the guidance to be implemented “right away,” the agency is also requesting public comment on the guidance until May 31, 2023. Those who wish to submit comments can do so by emailing email@example.com. After the comment period, EPA said it plans to update the document as appropriate.
“The Minnesota Department of Health Drinking Water Protection program is looking forward to EPA’s release of guidance related to cybersecurity at public water supplies,” said Kim Larsen, Minnesota Department of Health regional supervisor. “This guidance will help to support our program’s overall mission to protect public health.”
“While cybersecurity can be a bit overwhelming for operators in the water sector, it is comforting to know that we can engage with EPA’s cybersecurity technical assistance program to assist with a comprehensive assessment of risk and vulnerability for our community’s water system,” added Jason C. Randall, superintendent of Plymouth Village Water & Sewer in New Hampshire.