EPA issues memorandum to address PWS cybersecurity using sanitary surveys, improve resilience

EPA issues memorandum to address PWS cybersecurity using sanitary surveys, improve resilience

With the rise in cyber-attacks against critical infrastructure facilities, including public water systems (PWSs), the U.S. Environmental Protection Agency (EPA) issued a memorandum that calls upon states to evaluate the cybersecurity of operational technology (OT) used by a PWS when conducting PWS sanitary surveys or through other state programs.

The memorandum explains various approaches to include cybersecurity in PWS sanitary surveys or other state programs. Additionally, the EPA is also providing extensive guidance, training, and technical assistance to help states and PWSs increase resilience to cybersecurity incidents.

“The goal of sanitary surveys is to ensure that states effectively identify significant deficiencies and that public water systems then correct those significant deficiencies—including cybersecurity-related significant deficiencies—that could impact safe drinking water,” Radhika Fox, assistant administrator at the EPA wrote Friday in the memorandum to the state drinking water administrators water division directors, regions I-X. “EPA is offering significant technical assistance and support to states in this effort as well as to PWSs in helping to close cybersecurity gaps.” 

Fox highlighted that PWSs are frequent targets of malicious cyber activity, which has the same or even greater potential to compromise the treatment and distribution of safe drinking water as a physical attack. “Clarifying that cybersecurity must be evaluated in reviewing operational technology that is part of a PWS’ equipment or operation during sanitary surveys or other state programs will help reduce the likelihood of a successful cyber-attack on a PWS and improve recovery if a cyber incident occurs,” she added.

The memorandum concerns the assessment and improvement of cybersecurity of OT systems at PWSs through sanitary surveys or alternative state programs. It does not encompass all components necessary for a comprehensive critical infrastructure cybersecurity program, such as potential state roles in cyber incident reporting and response.

The agency said that the use of OT, including ICS (industrial control systems) like SCADA (supervisory control and data acquisition), in the production and distribution of drinking water has become widespread among PWSs of all sizes and types. These control systems have allowed PWSs to reduce onsite staffing and to operate collection, treatment, and distribution system processes more efficiently. Notably, they permit remote monitoring and operation by offsite personnel, including third parties.

The EPA interprets the regulatory requirements relating to the conduct of sanitary surveys to require that when a PWS uses OT, such as an ICS, as part of the equipment or operation of any required component of a sanitary survey. The sanitary survey of that PWS must also include an evaluation of the adequacy of the cybersecurity of that OT for producing and distributing safe drinking water.

The EPA memorandum said that OT is also vulnerable to being disabled or manipulated through malicious cyber activity, which is occurring with increasing frequency. “Documented malicious cyber activity has utilized various techniques, such as stolen credentials from authorized users, malicious URLs and websites, vulnerabilities in software applications, compromised third-party software and service providers, insecure remote access systems, insider attacks, and others. Intrusion by a cyber threat actor into an operational technology network can compromise the ability of a water system to produce and/or distribute safe drinking water,” it added. 

Accordingly, during a sanitary survey of a PWS, states must comply with the requirement to conduct a ‘sanitary survey’ that evaluates if the PWS uses an ICS or other OT as part of the equipment or operation of any required component of the sanitary survey, then the state must evaluate the adequacy of the cybersecurity of that OT for producing and distributing safe drinking water. It must also establish if the state determines that a cybersecurity deficiency identified during a sanitary survey is significant, then the state must use its authority to require the PWS to address the significant deficiency.

The EPA recognizes that several states have already established programs to evaluate PWS cybersecurity practices and to assist PWSs with protecting against cyber threats. Other states may need more capacity to assist communities sufficiently in building protections against cyber threats. “To account for the differences among states in their capacity and capability, EPA is providing information on different approaches states could employ to evaluate cybersecurity at PWSs. In addition, states may want the flexibility to use different approaches based on the circumstances of individual PWSs, as well as to transition from one approach to another as capacity and capability change over time,” the memorandum added.

States that have or establish the requisite authority may require PWSs to conduct a self-assessment of cybersecurity practices to identify cybersecurity gaps. The PWS may choose self-assessment or third-party assessment. 

PWSs could conduct the assessment using a government or private-sector method approved by the state, such as those from the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), National Institute of Standards and Technology (NIST), American Water Works Association (AWWA), International Organization for Standardization (ISO), and International Society of Automation/International Electrotechnical Commission (ISA/IEC). 

The EPA also published a guidance document with this memorandum for public comment, which provides an optional method that PWSs (or states) may use to conduct an assessment with a checklist of recommended cybersecurity practices and controls. 

Alternatively, a PWS could undergo an assessment of cybersecurity practices by an outside party, EPA’s Water Sector Cybersecurity Evaluation Program, or another government or private sector technical assistance provider approved by the state. EPA is expanding its capacity to assist states and PWSs with conducting assessments.

The memorandum also pointed out that states may require PWSs to develop follow-on risk mitigation plans to address cybersecurity gaps identified during the assessment, including any significant deficiencies if designated by the state. The risk mitigation plan would list planned mitigation actions and schedules. The state would review the risk mitigation plan during the sanitary survey, ensure that the PWS is taking necessary steps to address any significant deficiencies if designated by the state, and offer to identify additional resources PWSs could use to address those gaps.

“States could choose for surveyors to evaluate cybersecurity practices directly during a sanitary survey of a PWS to identify cybersecurity gaps and determine if any of those gaps should be designated as significant deficiencies,” the memorandum said. “This approach is consistent with how states conduct sanitary surveys of other components of PWS operations. Under this option, the state, rather than the PWS or a third party, would conduct the cybersecurity assessment and would direct the PWS to address any significant deficiencies that the state identifies. EPA training and technical assistance on evaluating cybersecurity in PWS sanitary surveys are available to assist states that take this approach as well,” it added.

Several states have programs under which PWSs assess cybersecurity gaps, which might be called ‘security gaps,’ ‘vulnerabilities,’ or their equivalent in their current practices that could impact safe drinking water and implement controls to address those gaps. To be at least as stringent as a sanitary survey, state surveyors must ensure that the alternate state programs effectively identify cybersecurity gaps or equivalent through an assessment and that PWSs address any significant deficiencies if designated by the state. 

The memorandum adds that cybersecurity assessment must be done at least as often as the required sanitary survey frequency for the PWS, typically three or five years.

In support of the memorandum, EPA is guiding states and PWSs to assist in the evaluation of cybersecurity at PWSs during sanitary surveys. With the memo, EPA has published a guidance document, ‘Evaluating Cybersecurity in PWS Sanitary Surveys,’ for public comment. This guidance includes an optional checklist of cybersecurity practices that could be used to assess cybersecurity at a PWS, identify gaps, including potential significant deficiencies, and select remediation actions appropriate to the capabilities and circumstances of the PWS. 

The checklist directly reflects the CISA Cross-Sector Cybersecurity Performance Goals and includes recommended practices and controls to enhance the security and resilience of OT against cyber-attacks. It also includes recommended practices that PWSs could voluntarily implement to improve the cybersecurity of IT networks that are connected to the PWS OT. The guidance has an optional template for a cybersecurity risk mitigation plan.

EPA will offer training for states and PWSs on evaluating cybersecurity in sanitary surveys this year. Like the guidance, the training will cover approaches to evaluate cybersecurity practices at a PWS, including identifying gaps and potential significant deficiencies, actions that PWSs could employ to address cybersecurity gaps, information protection, available technical assistance from EPA and other public and private-sector organizations, and potential funding. 

All training will be provided virtually with recorded versions available. In-person training may be provided as well. Training will be offered separately for states in each EPA Region. For PWSs, training will be available nationally. For all training, EPA will strive to ensure state approval of Continuing Education Credits/Units (CECs/CEUs).

EPA set up the Cybersecurity Technical Assistance Program for the Water Sector, where states and PWSs can submit questions or request to consult with a subject matter expert (SME) regarding cybersecurity in PWS sanitary surveys, such as identifying whether a cybersecurity gap is a significant deficiency or selecting appropriate risk mitigation actions. EPA will strive to have an SME respond within two business days.

The EPA memorandum follows the release of the National Cybersecurity Strategy by the U.S. administration, identifying a deep and enduring collaboration among stakeholders across the nation’s digital ecosystem. The document serves as a foundation for making a path to resilience in cyberspace more inherently defensible, resilient, and aligned with the country’s values. It also imposes additional mandates on organizations that control the majority of the nation’s digital infrastructure, with an enhanced government role in upsetting hackers and state-sponsored entities.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related