EPA Releases Water Systems Cyber Requirement in Tandem with National Strategy

zstockphotos/Getty Images

The Environmental Protection Agency unveiled new cybersecurity guidelines to help states evaluate their water sanitation systems’ defenses.

Moving in step with the just-released National Cyber Strategy, the Environmental Protection Agency issued a new memorandum to help improve the cybersecurity posture guarding the nation’s water filtration systems. 

Pursuant to the national framework, the EPA will require states to survey the digital networks governing drinking water filtration operations. This follows a slew of cyberattacks targeting critical infrastructure in the U.S., with water systems becoming recent targets. 

“Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyberattacks have the potential to contaminate drinking water, which threatens public health,” said EPA Assistant Administrator for Water Radhika Fox. “EPA is taking action to protect our public water systems by issuing this memorandum requiring states to audit the cybersecurity practices of local water systems."

The EPA will help provide resources for states to evaluate their water systems’ security. New guidance titled “Evaluating Cybersecurity During Public Water Sanitary Surveys” will help state governments implement a stronger cybersecurity posture into their existing water purification systems. 

Pursuant to the memorandum—which interprets existing sanitary survey requirements to include cybersecurity evaluations—the EPA is requiring that states conduct “periodic” audits of their water systems’ sanitary quality to confirm compliance. The agency defines the required sanitary surveys as “an onsite review of the water source, facilities, equipment, operation and maintenance of a PWS for the purpose of evaluating the adequacy of such source, facilities, equipment, operation and maintenance for producing and distributing safe drinking water.”

Both hardware and software will be subject to the EPA’s new guidance. To ensure all states can participate in these reviews, the EPA offers several evaluation methods, including surveyors and third-party assessments, as well as thorough self assessments. 

“The EPA's new action requires water systems to implement adequate cybersecurity to provide that confidence,” said Anne Neuberger, the deputy national security advisor for cyber and emerging technologies. “EPA used a flexible approach to enable water systems to craft the most effective ways to protect water services.”