The US Environmental Protection Agency (EPA) has issued a new memorandum last Friday calling for an enhancement of cybersecurity efforts nationwide to protect the country’s drinking water systems.
In particular, the document clarifies that while some public water systems (PWSs) have already improved their cybersecurity, data seen by EPA suggests several of them have not adopted essential cybersecurity best practices and are at risk of being affected by threat actors’ activities.
“Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. [They] have the potential to contaminate drinking water, which threatens public health,” said EPA Assistant Administrator for Water, Radhika Fox.
“EPA is taking action to protect our public water systems by issuing this memorandum requiring states to audit the cybersecurity practices of local water systems.”
In particular, the memorandum highlights the need for states to include cybersecurity when conducting periodic audits of water systems (“sanitary surveys”). To this end, EPA is providing guidance in the form of a survey designed to assist states in implementing cybersecurity strategies into sanitary surveys.
“EPA’s cybersecurity technical assistance program provided a wonderful jumping-off point to work on improving the cybersecurity of the water and sewer systems,” commented Amy Rusiecki, assistant superintendent of operations at the Town of Amherst Public Works, Massachusetts.
“The program armed us with the tools to have the appropriate conversations with the Town’s IT staff and our water/sewer staff to take small steps towards improvement. The roadmap for how to correct the Town’s vulnerabilities is still driving decisions today.”
The Agency clarified that while the guidelines can be used as they are, EPA is also open to receiving public comment on Sections 4–8 of the guidance and all document Appendices until May 31 2023.
The memorandum comes one day after the Biden-Harris administration published its National Cybersecurity Strategy.