EPA Memorandum Directs Public Water Systems to Survey OT/ICS Cybersecurity

EPA Memorandum Directs Public Water Systems to Survey OT/ICS Cybersecurity

Water is one of the most abundant and precious resources on Earth, yet the increasingly digital and networked operations that supply clean and safe drinking water have experienced some neglect when it comes to modern day cybersecurity best practices. According to the American Water Works Association, the U.S. has approximately 52,000 dispersed drinking water systems, many serving small-to-medium sized communities with a population under 50,000.

The cybersecurity of public water systems (PWSs) varies and largely depends today on case-by-case evaluations of IT and OT resources – budgets, tools, and personnel. In 2022, government entities and security practitioners began to suggest a path forward for securing the water sector: better understanding of the risk landscape and preparedness of PWSs, public-private cooperation, innovative solutions and increased funding, community commitments and public education.

What Is the EPA’s Cybersecurity Memorandum?

A March 2023 Memorandum from the Environmental Protection Agency seeks to include the identification of cybersecurity deficiencies as part of periodic sanitary surveys. The goal of sanitary surveys is to ensure that states identify significant deficiencies in public water systems and correct those that could impact safe drinking water.

The memo notes “the use of operational technology, including industrial control systems like SCADA, in the production and distribution of drinking water has become widespread among PWSs of all sizes and types. These control systems have allowed PWSs to reduce onsite staffing and to operate collection, treatment, and distribution system processes more efficiently. Notably, they permit remote monitoring and operation by offsite personnel, including third parties.”

Sanitary surveys will evaluate systems and technologies used at/for water:

  • Source
  • Treatment
  • Distribution system
  • Finished water storage
  • Pumps, pump facilities, and controls
  • Monitoring, reporting, and data verification
  • System management and operation, and
  • Operator compliance with state requirements

The memorandum requires public water systems to specifically review and evaluate the cybersecurity gaps associated with operational technology or industrial control system components of their operations used for producing and distributing safe drinking water. Often referred to as “crown jewel analysis,” owners and operators are instructed to review “the cybersecurity practices and controls needed to maintain the integrity and continued functioning of operational technology of the PWS that could impact the supply or safety of the water provided to customers.”

How Will the EPA Monitor Cybersecurity Levels?

Utilizing a cybersecurity checklist that reflects CISA’s Cross-Sector Cybersecurity Performance Goals, compliance with the new requirement entails the following:

  1. If the PWS uses an ICS or other operational technology as part of the equipment or operation of any required component of the sanitary survey, then the state must evaluate the adequacy of the cybersecurity of that operational technology for producing and distributing safe drinking water.
  2. If the state determines that a cybersecurity deficiency identified during a sanitary survey is significant, then the state must use its authority to require the PWS to address the significant deficiency.

Cybersecurity deficiencies for discovery and remediation broadly include:

  • The absence of a practice or control
  • The presence of a vulnerability that has a high risk of being exploited, either directly or indirectly, to compromise an operational technology used in the treatment or distribution of drinking water

Asset owners can submit questions or request to consult with a remote subject matter expert (SME). EPA has promised to have an SME respond to the questioner, suggesting a two-business day wait time for responses. The EPA notes that “The technical assistance service will not be an emergency line to report cyber incidents and it will not serve as a resource for cyber incident response or recovery efforts.”

Cyber incidents targeting water systems can have far reaching impacts. Within the first day, disruption to critical water supplies can have cascading effects on healthcare and medical facilities, food and agriculture production and processing, energy, government, safety, and transportation. Water utilities face serious cybersecurity threats from increasingly automated and vulnerable operational systems that are easy targets for bad actors. Having a strong cybersecurity program in place for water utilities is critically important to maintain resilience.

The Basics of Prevention

  • Review and revise access controls
  • Audit and enforce password policies
  • Be on high alert for new phishing attempts
  • Patch what you can
  • Scan for vulnerabilities, internal and external
  • Review third-party access to your people, processes, and technology
  • Evaluate supply chain dependencies
  • Plan ahead

Nozomi Networks Steps for Enhancing Cybersecurity for Water Utilities

  • Asset discovery and inventory
  • Vulnerability scanning and network mapping
  • Threat intelligence and known indicators of compromise
  • Sophisticated data analytics and situational awareness

The Nozomi Networks platform anticipates cybersecurity risks in your operational systems through asset intelligence, vulnerability assessments and anomaly detection. Our asset discovery feature delivers prioritized risk assessments and alerts. Insight into your network traffic quickly exposes vulnerabilities to help you focus cyber risk management and compliance efforts.

Additional resources:

  • The EPA is providing guidance, training, and technical assistance to help states and PWSs include cybersecurity in sanitary surveys.
  • The U.S. WaterISAC community incorporates member information exchange with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI, the U.S. Environmental Protection Agency, state intelligence fusion centers, and other federal and state agencies