Analysis
Attacks and Vulnerabilities
CISA
Control device security
Critical infrastructure
ICS Security Framework
News
Perimeter security
Regulation, Standards and Compliance
Utilities: Energy & Power, Water, Waste
Vulnerabilities

US EPA presents to Congress cybersecurity support plan for public water systems

September 06, 2022
US EPA presents to Congress cybersecurity support plan for public water systems

The U.S. Environmental Protection Agency (EPA) recently presented a document covering a cybersecurity support plan for public water systems (PWSs) to Congress. The plan looks into the methodology to identify specific PWSs for which cybersecurity support should be prioritized, in addition to prescribing timelines for making voluntary technical support for cybersecurity available to specific PWSs. 

The move comes in response to the Infrastructure Investment and Jobs Act (IIJA Act) which requires the EPA, in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), to develop a cybersecurity support plan. However, all support to the PWSs under the support plan is voluntary. The Act directed that “the Administrator [EPA], in coordination with the Director [CISA] and using existing authorities of [EPA] and [CISA] for providing voluntary support to public water systems and the Prioritization Framework, shall develop a Technical Cybersecurity Support Plan for public water systems.” 

The document presented to Congress is titled “Technical Cybersecurity Support Plan for Public Water Systems – Report to Congress.” It includes a support plan that must address the methodology, as established by the Prioritization Framework, for identifying specific PWSs for which cybersecurity support should be prioritized while looking into timelines for making voluntary technical support for cybersecurity available to specific PWSs. Additionally, the PWSs are identified by the EPA and CISA as needing technical support for cybersecurity and meeting specific capabilities of the agencies that may be utilized to provide support to PWSs. This may include site vulnerability and risk assessments, penetration tests, and any additional support determined to be appropriate by the EPA. 

The support plan describes specific capabilities of EPA and CISA that may be utilized to support PWSs, including currently available and planned future support with separate timelines. 

Some currently available services are self-assessments, which would be conducted by the PWS and can be accessed at any time. Other services require coordination and must be scheduled. Typically, the wait time to schedule facilitated assessments is minimal. For example, the vulnerability scanning and web application scanning offered by CISA begins within one week of a facility returning the appropriate forms.

As part of the planned future support targeted to the PWSs identified as having an elevated need for technical cybersecurity support, the support comprises two areas – checklist and technical support. 

The checklist of cybersecurity best practices coupled with training will be targeted to small community water systems (serving 3,300 people or fewer) and all non-community water systems that did not develop risk assessments and emergency response plans under America’s Water Infrastructure Act of 2018. Technical support for PWSs addresses vulnerabilities in current cybersecurity practices, which may be identified through a cybersecurity assessment program. 

The EPA intends to offer this support beginning in the calendar year 2023. In 2022, EPA expects to develop the cybersecurity checklist guidance and training and build the capacity to provide technical support for addressing cybersecurity deficiencies through a collaborative stakeholder process. These products and services would then be delivered when available in 2023 on an ongoing basis.

The document also said that the EPA identified two situations where PWSs may have an elevated need for technical cybersecurity support. Firstly, under America’s Water Infrastructure Act of 2018, all community water systems serving over 3,300 people were required to conduct risk and resilience assessments that included computer and other automated systems and to address cybersecurity in emergency response planning. Consequently, smaller community and non-community water systems may not have undertaken these important security steps. Additionally, the EPA plans to develop a ‘checklist’ of cybersecurity best practices and associated training to assist these PWSs with identifying and addressing cybersecurity vulnerabilities.

Secondly, where PWSs undergo a cybersecurity assessment, and the assessment identifies vulnerabilities that need to be addressed, the PWS may request technical cybersecurity support, the document said. EPA plans to stand up a technical support service to provide individual assistance to PWSs with adopting cybersecurity practices to remediate the vulnerabilities. 

The document also covered that industrial control systems (ICS) are essential to the operation of U.S. critical infrastructure. ICS owners and operators face threats from various adversaries whose intentions include theft, gathering intelligence, and disrupting national critical functions. As ICS owners and operators adopt new technologies to improve operational efficiencies, they should be aware of the additional cybersecurity risk of connecting OT to enterprise IT systems and Internet of Things (IoT) devices. It also covered the ICS prevention and response resources available to improve ICS protection.

The Prioritization Framework is a separate document required under the IIJA Act that describes a methodology for prioritizing PWSs for technical cybersecurity support. The framework is structured as a series of qualitative questions stemming from the criteria that the legislation requires the EPA to consider. The qualitative structure will provide the flexibility necessary to tailor the prioritization of PWSs for technical cybersecurity support to specific threat circumstances and PWS’ needs.

The document identifies that the framework is not designed to assign a water system to a fixed prioritization rank independent of a scenario where prioritization is needed. “Rather, it reflects the understanding that prioritizing PWSs for technical cybersecurity support will depend on the circumstances of a particular scenario (e.g., the type of cybersecurity vulnerability and technical support required, the number of water systems requesting assistance, and the capacity to deliver support). Existing circumstances have not required the use of a prioritization framework. Should that need arise in the future, the Framework offered here could be adjusted as needed,” it added.

Under the Prioritization Framework, if demand for cybersecurity support exceeds the near-term capacity to respond, a PWS would be asked to respond to the prioritization questions. Then, in coordination with CISA, EPA would use those answers, as well as a number of other factors, to prioritize the requests for assistance. 

Other factors may include the risk to PWS operations and potential adverse impacts on the service area, downstream critical infrastructure, and defense/national security assets. It may also cover the capabilities of a PWS to remediate the vulnerability without federal support and the risk reduction benefits that technical cybersecurity support would achieve.

The document comes at a time when cybersecurity attackers have once again targeted the water sector. Russian-based Cl0p ransomware hacker group breached water systems at the U.K. water supply company South Staffordshire in mid-August. Coming in the middle of one of the worst droughts the U.K. has faced, the cyber attack demonstrates that very little has changed since last year’s remote access cyber attack at the Oldsmar, Florida water treatment plant.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape