EPA takes steps to address cybersecurity weaknesses at water utilities

The U.S. Environmental Protection Agency (EPA) is asking states to include cybersecurity in its audits of public water systems in a measure designed to address a spate of attacks on the sector.

In a memorandum released Friday, EPA officials said several public water systems have not adopted even basic cybersecurity best practices — leaving them exposed to dangerous digital attacks.

“Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyberattacks have the potential to contaminate drinking water, which threatens public health,” said EPA Assistant Administrator, Radhika Fox. “EPA is taking action to protect our public water systems by issuing this memorandum requiring states to audit the cybersecurity practices of local water systems.”

On a press call, several EPA officials warned that cyberattacks on water facilities were increasing, adding that attacks were coming from nation-state hackers and cybercriminals, as well as disgruntled employees. Voluntary cybersecurity rules had “yielded minimal progress” and the EPA said “many water systems do not implement cybersecurity practices.”

Officials said cyberattacks have previously “shut down critical treatment processes, locked up control system networks behind ransomware, and disabled communications used to monitor and control distribution system infrastructure like pumping stations.”

“Including cybersecurity in PWS [public water systems] sanitary surveys, or equivalent alternate programs, is an essential tool to address vulnerabilities and mitigate consequences, which can reduce the risk of a successful cyberattack on a PWS and improve recovery if a cyber incident occurs,” they said.

A new approach

The memorandum comes on the back of the release of the White House’s National Cybersecurity Strategy, which laid out plans for the government to issue more mandatory regulations for critical infrastructure.

Senior Biden administration officials mentioned that one of the first industries they planned to issue guidelines to was the water sector. While much of the strategy leans heavily on the idea that regulatory power would be provided to the federal government by Congress, House Republicans threw cold water on that idea almost immediately.

But during a Center for Strategic and International Studies event yesterday, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said the federal government has “the vast majority of authorities we need.”

Fox told reporters that the EPA actions announced on Friday are a reinterpretation of the Safe Drinking Water Act, which requires that states assess the physical operational capacities of drinking water systems. Fox said cybersecurity and related threats are now on the same level as physical threats and need to be examined alongside it.

The audits – called “sanitary surveys – are conducted by state-level agencies and Fox said the EPA is providing technical assistance and resources to help officials implement cybersecurity programs. 

The EPA sent out a document outlining how states can add cybersecurity to sanitary surveys that provides information on both evaluating and improving the cybersecurity of operational technology used for safe drinking water.

The EPA would not comment on what penalties are in place for those that fail these audits or for states that do not include cybersecurity in the audits. They also declined to answer questions about what kind of attacks water facilities typically face, but several officials at the EPA said ransomware has become a significant concern due to an increase in attacks.

U.S. law enforcement agencies said ransomware gangs hit five U.S. water and wastewater treatment facilities from 2019 to 2021 — and those figures did not include three other widely-reported cyberattacks on water utilities.

Neuberger said Americans “deserve to have confidence in their water systems resilience to cyber attackers.”

“The EPA's new action requires water systems to implement adequate cybersecurity to provide that confidence. EPA used a flexible approach to enable water systems to craft the most effective ways to protect water services,” she said. 

“The EPA's action is another step in the Administration's relentless focus on improving the cybersecurity of critical infrastructure by setting minimum cybersecurity measures for owners and operators of the water, pipelines rail other critical services Americans rely on."

State feedback

The agency wants the cybersecurity additions to the audits to be made immediately but is giving states and organizations until May 31 to provide comment on the new rules. They will update or revise the document based on any changes suggested. 

Several state-level officials in Minnesota, Massachusetts, New Jersey, New Hampshire and Wisconsin said they have already worked with the EPA on the measures and were working to implement the guidelines. 

“EPA’s cybersecurity technical assistance program provided a wonderful jumping-off point to work on improving the cybersecurity of the water and sewer systems,” Amy Rusiecki, Assistant. Superintendent of Operations, Town of Amherst Public Works, Massachusetts. 

“The program armed us with the tools to have the appropriate conversations with the Town’s IT staff and our water/sewer staff to take small steps towards improvement. The roadmap for how to correct the Town’s vulnerabilities is still driving decisions today.”

Martin Hawlet, Superintendent for the Atlantic Highlands Water Department in New Jersey said they used the EPA’s free cybersecurity assessments and technical assistance to get in compliance with New Jersey cybersecurity regulations. 

Several water industry officials said cybersecurity can “be a bit overwhelming for operators in the water sector” and others mentioned that they do not have any employees trained to handle cybersecurity. 

Eric Kiefer,  a manager at North Shore Water Commission in Wisconsin, said they were able to enroll in the Cybersecurity Technical Assistance Program, which helped them identify and rank the severity of the vulnerabilities in their network. 

Fox said they will be offering more trainings and resources to water facilities that reach out to them for help. The EPA added that in addition to its work with several states, they engaged with the Water Sector Coordinating Council, the Water Government Coordinating Council and others to hear their concerns and get feedback on the memorandum. 

Nozomi Networks’ Chris Grove, an operational technology cybersecurity expert who works with several water facilities, said water and wastewater organizations are often in a tough position of balancing miniscule municipal budgets and safety.

“Even though safe drinking water is crucial to our society, there is less cybersecurity regulation there, than for cereal or pharmaceuticals. The new EPA self-assessment provides a high-level, non-prescriptive approach to ensuring the water provider are paying attention, in some form or fashion, to their cybersecurity,” Grove told The Record.

Critical Insight CISO Mike Hamilton said it was a bit disheartening that the third-party assessment resources seem limited to the Department of Homeland Security, EPA, and state-level agencies, making this activity “hard to scale across the breadth of water utilities across the country.” 

“Allowing for private-sector cybersecurity companies to perform assessments would accelerate the collection of information and the development of corrective action plans,” he said. 

“As this plan seems to be in direct response to the National Cybersecurity Strategy I anticipate other variants of the same tactic – expanding an existing authority. For example, the Coast Guard, as the sector-specific agency for maritime ports, will likely require cyber assessments as part of the biannual Facility Security Plan (FSP) that has always been required.”