By Chuck Andrews & Dave Gunter
Traditionally, the enforcement arm of the U.S. Environmental Protection Agency (EPA) has focused on the Safe Drinking Water Act (SDWA)[i] when it comes to public water utilities. The SDWA was originally passed by Congress in 1974 to protect public health by regulating the nation’s drinking water supply. The law was amended in 1986 and 1996 and requires many actions to protect drinking water and its sources—rivers, lakes, reservoirs, springs, and groundwater wells.
What has changed from the EPA?
On May 20th, 2024 the EPA issued an enforcement alert entitled, “EPA Outlines Enforcement Measures to Help Prevent Cybersecurity Attacks and Protect the Nation’s Drinking Water”[ii], outlining the urgent cybersecurity threats and vulnerabilities to community drinking water systems and the steps required to comply with the SDWA. The alert is part of a government-wide effort – led by the National Security Council (NSC) and the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) – to reduce the nation’s infrastructure and cybersecurity vulnerabilities. As stated in the announcement, the EPA issued the alert “because threats to, and attacks on, the nation’s water system have increased in frequency and severity to a point where additional action is critical.”
So, what does it really mean? The alert emphasized the importance of EPA’s ongoing inspection and enforcement activities under SDWA and announced that agency will increase the number of planned inspections and, where appropriate, will take civil and criminal enforcement actions. Inspections will ensure that water systems are meeting their requirements to regularly assess resilience vulnerabilities, including cybersecurity, and develop emergency response plans.
The EPA alert went largely unnoticed outside the water sector, but the EPA’s enforcement covers around 153,000 public drinking water systems in the U.S. This move is not surprising and bears similarity to when the U.S. Coast Guard issued NVIC 01-20 on February 26, 2020, which added cybersecurity to their annual inspections of maritime ports, terminals, and vessels. NVIC 01-20 requires Facility Security Officers (FSOs) to be responsible for addressing the basics of their port’s cybersecurity planning, marking a significant shift in cybersecurity enforcement at maritime facilities.
What is the EPA looking for? What are the key areas to address?
Interestingly, and maybe not surprisingly, the EPA collaborated with CISA and the FBI to define cybersecurity requirements for the critical infrastructure water sector. On February 23, 2024, the 3 agencies co-released updated best practices entitled, “Top Cyber Actions for Securing Water Systems[iii].” The update includes additional resources—from American Water Works Association (AWWA), the WaterISAC, and Multi-State Information Sharing and Analysis Center (MS-ISAC) to support water systems in defending against malicious cyber activity.
While the agencies recognize the sector’s challenges, they expect organizations to develop plans to address or respond to these concerns. This release outlined the following cyber actions water operators can take to reduce risk and improve resilience:
- Reduce exposure to public-facing internet.
- Conduct regular cybersecurity assessments.
- Change default passwords immediately.
- Conduct an inventory of OT/IT assets.
- Develop and exercise cybersecurity incident response and recovery plans.
- Backup OT/IT systems.
- Reduce exposure to vulnerabilities.
- Conduct cybersecurity awareness training
The key point for the water sector is that agencies like the EPA, CISA, FBI, and DHS are simply asking them to follow fundamental cybersecurity industry best practices that have been recognized for over 15 years.
To draw a parallel, the OSHA standard for Process Safety Management requires that all equipment, inspections, and testing procedures comply with “Recognized and Generally Accepted Good Engineering Practices” (RAGAGEP), which are the basis for engineering, operation, or maintenance activities for process safety. RAGAGEP are themselves based on established codes, standards, published technical reports or recommended practices (RP) or similar documents. Similarly, the Top Cyber Actions for Securing Water Systems document aligns with fundamental cybersecurity best practices found in OT and IT frameworks, such as the NIST Cybersecurity Framework[iv] and the ISA/IEC 62443 series of standards that define requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS)[v].
In conclusion, waterfacilities must prioritize the fundamentals of OT cybersecurity to protect our nation’s critical infrastructure. Because of the health, safety, and the environmental risks, the cost of doing nothing is far more consequential than putting a plan together and funding the plan as a priority to address the basics of cybersecurity within the OT systems for our nation’s water operating facilities.
———————–
[i] Safe Drinking Water Act section 1433
[ii] “EPA Outlines Enforcement Measures to Help Prevent Cybersecurity Attacks and Protect the Nation’s Drinking Water” (EPA Outlines Enforcement Measures to Help Prevent Cybersecurity Attacks and Protect the Nation’s Drinking Water | US EPA)
[iii] https://www.cisa.gov/resources-tools/resources/top-cyber-actions-securing-water-systems
[iv] https://www.nist.gov/cyberframework
[v] https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards
