Protecting Public Water Systems from Cyberattack: New Cybersecurity Regulations for State Governments

Protecting Public Water Systems from Cyberattack: New Cybersecurity Regulations for State Governments

September 25, 2023

There are four basic things humans require to live: air, water, food, and shelter. As an essential part of the nation’s infrastructure, Cybersecurity professionals across the nation are highly aware of the vulnerability of water treatment systems and are helping state governments become well versed in security regulations and aiding them with implementation.

How serious are the threats of cyberattacks on our public water systems?
Do a quick search and you’ll find your answer.

Here’s a story of a guy who was just indicted for hacking into a water treatment facility in California.

The US Environmental Protection Agency (EPA) announced on March 3, 2023, that it now requires all public water system (PWS) audits to include cybersecurity. While it has been continually addressed since 2018, their new memorandum requires that States must address cybersecurity when they conduct periodic audits of water systems and allows one of three approaches to be used by States to fulfill their responsibilities.

There are approximately 153,000 public drinking water systems and more than 16,000 publicly owned wastewater treatment systems in the United States.

Cybersecurity & Infrastructure Security Agency (CISA)

What happened that is now forcing cybersecurity regulation on public water systems?

While some public water systems (PWSs) took important steps to improve their cybersecurity in recent years, the EPA found through an industry survey and reports of cyberattacks that many have not adopted basic cybersecurity practices and remain at high risk. The Environmental Protection Agency views cybersecurity as a necessary means to provide clean and safe drinking water and therefore is within the states’ scope of responsibilities.

In October of 2021, the Cybersecurity & Infrastructure Security Agency (CISA) issued a Cybersecurity Advisory as a collaborative effort between CISA, the Federal Bureau of Investigation, the Environmental Protection Agency, and the National Security Agency to highlight ongoing malicious cyber activity targeting networks, systems, and devices of U.S. Water and Wastewater Systems (WWS) facilities.

Incidents of malicious cyber activity on PWS’s have shut down critical treatment processes, locked up control system networks behind ransomware, and disabled communications used to monitor and control distribution system infrastructure.

The trend of new and more detailed cybersecurity regulations is one we expect to continue. The Nevada Gaming and SEC’s (Security and Exchange Commission) new regulations didn’t stop this month’s attacks on the MGM Grand and Caesar’s in Las Vegas but they’re just beginning to become effective. The massive losses and business disruption are sure to attract the attention of regulators in every sector.

What is the EPA’s new cybersecurity regulation and how does it differ from the 2018 Water Infrastructure Act?

The EPA’s new cybersecurity memorandum elaborates on the responsibilities covered in America’s Water Infrastructure Act of 2018 (AWIA). The Act addresses community water systems serving over 3,300 people, while the new cybersecurity regulations apply to public water systems of all sizes. The new requirement clarifies that states must provide oversite of local and community public water systems and it compels states to include assessing the risk and resilience of computer technology within the scope of their existing sanitary survey process.

The March regulations also mandate that states document cybersecurity deficiencies and use their authority to require the PWS to address all significant deficiencies. Should a cybersecurity incident occur, a recovery plan must include addressing the vulnerability, developing and implementing strategies to improve the resilience of the system, and communicating with the EPA about deficiencies and corrective actions.

Despite the EPA’s earlier efforts to prompt state action, such as issuing a “Water Sector Cybersecurity Brief for States”, cybersecurity incidents continue to occur and the U.S. Government is working through the Environmental Protection Agency to educate and support treatment facility managers and state oversight committees.

The March 2023 Memorandum did not address the consequences to states who do not comply with the obligations outlined in the brief.

What are some examples of cybersecurity vulnerabilities?

Cybersecurity threats can range from mischievous individuals trying to test if they are able to penetrate network firewalls, to compromising customer credit card data for profit, or to potentially hijacking water and wastewater system control and changing chemical levels, making the water unfit to drink.

Unauthorized system access and hacking infiltrations can expose water management facilities to breaches that can cause immediate damage and concern.

  • Unrevoked credentials – A former employee at a Kansas-based WWS facility unsuccessfully attempted to use his user credentials to threaten the local drinking water supply.
  • Ransomware compromises files – Personnel at a New Jersey-based WWS facility discovered Makop ransomware and located compromised files within their system.
  • Monitoring and backup system attacked – Cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the SCADA (Supervisory Control and Data Acquisition) and backup systems.

What are states required to do to comply with the public water system cybersecurity regulation?

The key change for states is the need to include the new regulations within their existing sanitary surveys for each water and wastewater system. These surveys are part of an existing monitoring process that provides onsite reviews of the water source, facilities, equipment, operation, and maintenance of a PWS. They’re used for evaluating the adequacy of each source, facilities, equipment, operation, and maintenance used for producing and distributing safe drinking water.

The EPA’s interpretation is that their new cybersecurity practices and controls fall under the purview of reviewing the equipment and operation of the PWS to maintain integrity and function which could impact the supply or safety of the water provided. Accordingly, states must do the following to comply with the requirement:

  1. If the PWS uses an ICS (Industrial Control System) or similar system, then the state must evaluate the adequacy of the cybersecurity of that operational technology.
  2. If the state determines that a cybersecurity deficiency identified during a sanitary survey is significant, then the state must use its authority to require the PWS to address it.

EPA’s 100-page guidance entitled “Evaluating Cybersecurity During Public Water Sanitary Surveys” is available to assist states with building cybersecurity monitoring into their sanitary surveys. They are also providing technical assistance and technical and financial resources to assist states and water systems as they work towards implementation of a robust cybersecurity program. Details of these resources can be found in Section E of the EPA’s March 3rd Memorandum.

How can states comply with the regulation and set relevant standards for their public water systems?

Recognizing the need for flexibility, the EPA offers states three options to choose from when integrating the cybersecurity regulations within their sanitary surveys. States may use different approaches based on the circumstances of individual PWSs and transition from one approach to another as capacity and capability change.

Option 1 — Self-assessment or third-party assessment

PWSs can conduct a self-assessment using a government or private-sector method approved by the State, such as those from DHS (Department of Homeland Security), CISA (Cybersecurity and Infrastructure Security Agency, NIST (National Institute of Standards and Technology), AWWA (American Water Works Association), ISO (International Organization for Standardization), and ISA/IEC (International Society of Automation/International Electrotechnical Commission).
PWSs can also undergo an assessment of cybersecurity practices by an outside party, EPA’s Water Sector Cybersecurity Evaluation Program, or another government or private sector technical assistance provider approved by the State. When choosing to work with a third party, ensure that they have the necessary expertise and capacity to properly manage the assessment and any follow-up incidents or tasks.
States may require that PWSs develop follow-on risk mitigation plans to address deficiencies and gaps. These plans would list planned mitigation actions and schedules and should be completed prior to the sanitation survey and then updated to reflect changes in cybersecurity practices and/or operational technology changes prior to subsequent sanitary surveys.

Option 2 — State evaluation of cybersecurity practices during the sanitary survey

States could choose for surveyors to evaluate cybersecurity practices directly during a sanitary survey of PWSs to identify cybersecurity gaps and determine if those gaps should be designated as significant deficiencies. The State—rather than the PWS or third party—would conduct the cybersecurity assessment and direct the PWS to address any significant deficiencies identified.

Option 3 — Alternative state program for water system cybersecurity

Several States may already participate in programs that include assessing cybersecurity for their PWSs. For example, the State Homeland Security Agency or Emergency Management may have a cybersecurity program covering all critical infrastructure in the State. If using an alternative program to meet the new EPA cybersecurity requirements, they must be at least as stringent as a sanitary survey and state surveyors must ensure that any gaps identified are addressed. The alternative assessments must be conducted at least as frequently as sanitary surveys for the PWS—typically every 3 or 5 years.

How will the revised regulation affect public water systems?

While always viewed as important, the new EPA cybersecurity regulations shine a light on the vulnerability to cyberattacks. Compliance should not be delayed. Public water systems must be proactive about cybersecurity and responsive to concerns, gaps, and unauthorized access points to protect their digital infrastructure. States and PWSs need to assess cybersecurity risks and put plans in place to reduce their exposure to cyberattacks, outages, and contamination.

REDW Cybersecurity experts are standing by to help your organization go from reactive to proactive with public water system cybersecurity. Contact Brian Grayek, REDW IT and Cybersecurity Consulting Director today using the How can we help? form on this page. We’re here to make this easier.

Recent Posts