On March 3, 2023, the U.S. Environmental Protection Agency (EPA) issued its Memorandum Addressing Public Water System (PWS) Cybersecurity in Sanitary Surveys or an Alternate Process to expand state audits of water systems to include an evaluation of operational technology cybersecurity. The memorandum states, “While PWSs have taken important steps to improve their cybersecurity, a recent survey and reports of cyberattacks show that many PWSs have failed to adopt basic cybersecurity best practices and consequently are at high risk of being victimized by cyberattack—whether from an individual, criminal collective, or a sophisticated state or state sponsored actor.” The memorandum was issued a day after the White House released a comprehensive cybersecurity plan aimed at mitigating breach threats to government agencies, industry, schools, hospitals, and other key infrastructure.
Public Water Systems are the primary source of drinking water for approximately 90% of all Americans. Under the Safe Drinking Water Act (SDWA), public water systems are regulated by the EPA. The EPA establishes and enforces standards to ensure the safety of everyone’s drinking water. One of the several items that are mandated by the SDWA is the annual Consumer Confidence Report. That report which must be sent to all customers includes the following information:
There are approximately 155,693 public water systems in the United States [1]. They are classified in three tiers:
In 2007, for example, over 286 million Americans received their tap water from a community water system. Below is a description of how water systems work. In the last several years, information technology systems have been increasingly built into this process to enhance treatment and delivery. However, introduction of technology also presents potential risk.
Infrastructure elements, including water processing and delivery, have traditionally struggled with the concept of integrating information technology (IT) with operational technology (OT). This integration becomes even more challenging with the introduction of “Internet of Things” (IOT) devices added to the PWS ecosystem. These IT and OT advancements, including industrial control systems and supervisory control and data acquisition systems (ICS/SCADA), which can automate many elements of OT and improve the ability to monitor and control, can also increase risk. The potential risk is not just a systems breach but the interruption of critical services vital to our country, including power, telecommunications, roadways, and, yes, water. Like other government and municipal entities, water utilities have budget limitations. Accordingly, introducing new IT that requires ongoing updates, monitoring, and maintenance, necessitates additional investment to defend against public safety and national security threats to these critical infrastructure elements. It is a horrible day when corporate America is attacked. It can be deadly if water supplies are impacted.
Under the authority of the SDWA, 40 CFR § 142.16(b)(3) and (o)(2) already required states to conduct periodic audits or “sanitary surveys” of PWSs. In particular, the regulations require that these sanitary surveys include “an onsite review of the water source (identifying sources of contamination using results of source water assessments where available), facilities, equipment, operation, maintenance, and monitoring compliance of a public water system to evaluate the adequacy of the system, its sources and operations, and the distribution of safe drinking water.” 40 CFR § 142.16(b)(3). The EPA’s memorandum states that the new cybersecurity evaluation requirement merely clarifies what is meant to be included in the onsite review of “equipment” and “operation.” It is through this interpretation—and not any modification of existing regulations—that the EPA will now require states to include a cybersecurity review when conducting sanitary surveys. EPA’s memorandum identifies different approaches for states to fulfill this responsibility and provides a list of questions they may use in conducting the assessment.
The memorandum allows states to adopt one of three options for incorporating cybersecurity review into PWS sanitary surveys. As shown in the table below, states may utilize 1) PWS or third-party assessment, 2) state evaluation during the sanitary survey, or 3) an existing state water system cybersecurity program that is at least as stringent as a sanitary survey. Importantly, if a state allows PWSs to conduct their own cybersecurity evaluations or hire a third party, the assessment must be completed prior to the state sanitary survey. The state may also require the PWS to develop a risk mitigation plan prior to the sanitary survey to address any cybersecurity gaps that are identified during a self-assessment. Any method used for self-assessment would need to be conducted using a government or other state-approved method. Any private third party conducting the assessment would similarly need to be approved by the state.
Industry response to the EPA’s new cybersecurity assessment requirement for PWSs has been mixed. Mike Hamilton, former chief security officer for the City of Seattle, commented that limiting approved assessment methodology to government or state-approved methods “make[s] this activity hard to scale across the breadth of water utilities across the country.” Tracy Mehan, executive director of government affairs at the American Water Works Association, similarly warns that the plan puts states in a tough position by directing that cybersecurity reporting should start immediately.
Integration of the EPA’s new cybersecurity assessment into PWS operations may depend on the current state of the utility. Facilities with integrated IT and OT that have any outward or public facing network elements likely already have a robust cybersecurity program. If not, they will likely have a steep hill to climb to successfully complete the EPA’s mandated cybersecurity assessment and will need to begin securing their networks expeditiously. If IT and OT are still separated, there may be less risk of a significant gap now being identified during state sanitary surveys, but this does not mean that immediate action will not still be necessary; rather, the potential impact of a cyberattack is segregated based on the isolated nature of the OT environment. Action to protect internet facing network elements will still be required. If a utility cannot bill or track service, it is effectively shut down, which may present a public safety or national security threat.
Conversely, reliance on the EPA’s memorandum alone may not be enough to secure the nation’s water supply. Tied to the current requirements for community and non-community state sanitary surveys, PWS cybersecurity assessments will be necessary once every three or five years, or more frequently where appropriate. Cybersecurity good practices typically suggest more frequent and ongoing assessment.
With its memorandum, EPA provides an optional checklist that states may use during a sanitary survey to evaluate the cybersecurity of a PWS’s operational technology. Prior to the rule coming into effect, if a state does not elect to implement a self- or third-party assessment, PWSs should give serious consideration to this checklist and take steps to develop a plan that includes creating internal accountability and conducting an informal cybersecurity review sufficiently in advance of any upcoming sanitary survey to allow for implementation of corrective good practices prior to state assessment. Additional guidance can be found in the EPA publication, “Evaluating Cybersecurity During Public Water System Sanitary Surveys.”
For some PWSs, this will be starting from scratch. They should start with the EPA checklist (shown below) and other free tools available to establish a picture of the current state and begin working on enhancing their ability to defend against and respond to cyberattack. PWSs can also look to trusted third party consultants to help them down this path.
Account Security
Device Security
Data Security
Governance & Training
Vulnerability Management
Supply Chain / Third Party
Response & Recovery
Other
Professionals with expertise in Environmental Compliance audits and program evaluation, Enterprise Risk Management program development and evaluation, and Cyber Security risk assessment and mitigation can help impacted organizations prepare for compliance. Additionally, the right experts can provide custom operational, programmatic, and governance-oriented solutions, assisting a PWS in beginning the journey toward enhanced cyber security, including developing a roadmap to compliance with EPA’s new cybersecurity requirements prior to future state sanitary surveys.
We would like to thank our colleagues Kim Logue, John F. Peiserich, and Ron J. Yearwood, Jr., CISSP, CISM, CIPM for insights and expertise that greatly assisted this research.
Kim Logue is an Associate Vice President in J.S. Held’s Environmental, Health & Safety - Risk & Compliance group. Ms. Logue specializes in environmental risk and compliance. With over 15 years of experience in the areas of environmental and natural resources law, Ms. Logue provides consulting and expert services for industrial facilities and law firms throughout the country. She has extensive experience with assessing and managing potential and ongoing compliance obligations with innovative client-focused strategies. Ms. Logue conducts environmental compliance audits, advises clients on the development of effective environmental management systems, and conducts due diligence associated with mergers and acquisitions. She routinely supports clients on rulemaking and legislative efforts focused on environmental and natural resources issues.
Kim can be reached at [email protected] or +1 504 561 6563.
John Peiserich is an Executive Vice President and Practice Lead in J.S. Held’s Environmental, Health & Safety practice. With over 30 years of experience, John provides consulting and expert services for heavy industry and law firms throughout the country with a focus on Oil & Gas, Energy, and Public Utilities, including serving as an expert witness in arbitration proceedings and in state and federal courts. He has extensive experience evaluating risk associated with potential and ongoing compliance obligations, developing strategies around those obligations, and working to implement a client-focused compliance strategy. Mr. Peiserich has appointments as an Independent Monitor through EPA’s Suspension and Debarment Program. John routinely supports clients in a forward-facing role for rulemaking and legislative issues involving energy, environmental, Oil & Gas, and related issues.
John can be reached at [email protected] or +1 504 360 8373.
While cyber was incorporated in some general liability policies (GL) of the 1980s, the first cyber standalone policy was written in 1997 through AIG. Though groundbreaking, as it was the first to address cybersecurity, it...
The modern security ecosystem is diverse and ever-changing, a place where cyber risk is top of mind for leaders at all levels, and threats to information / data security and privacy evolve at the speed...
This paper examines the inherent risks surrounding the protection of client electronic data on cloud-based platforms that have arisen with the proliferation of the at-home work setting. It also explains why it’s important for users...