You are here

EPA Releases Guidance on Improving Cybersecurity at Drinking Water and Wastewater Systems

EPA Releases Guidance on Improving Cybersecurity at Drinking Water and Wastewater Systems

Created: Thursday, September 19, 2024 - 14:32
Categories:
Cybersecurity, OT-ICS Security, Federal & State Resources

Yesterday, the EPA released “Improving Cybersecurity at Drinking Water and Wastewater Systems”, developed to assist owners and operators of drinking water and wastewater systems with assessing gaps in their current cybersecurity practices. As outlined in the guidance, the EPA recommends that all water and wastewater systems (WWS) owners and operators, regardless of system type and population served, evaluate the risks to and resilience of their IT and OT systems to cyber threats and develop risk mitigation plans to address cyber vulnerabilities in critical operations.

The guidance includes sections with myriad resources pertaining to technical support for improving cybersecurity at WWSs, as well as the EPA Cybersecurity Checklist –  a series of questions designed to assess the cybersecurity practices and controls at a WWS (Included in Appendix A of the guidance). The EPA Cybersecurity Checklist was derived from CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs), the baseline cybersecurity practices aligned with the NIST Cybersecurity Framework applicable across critical infrastructure sectors.

Additionally, owners and operators of community water systems (CWSs) that serve more than 3,300 people are subject to section 1433 of the Safe Drinking Water ACT (SDWA). These CWSs may use this guidance as one option to address cybersecurity in their risk and resilience assessments and emergency response plans and to meet the requirements under SDWA section 1433. Compliance with SDWA section 1433 requires:

  • Assessing the risks to and resilience of the pipes and constructed conveyances, physical barriers, source water, water collection and intake, pretreatment, treatment, storage, and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) which are utilized by the system; the monitoring practices of the system; the financial infrastructure of the system; the use, storage, or handling of various chemicals by the system; and the operation and maintenance of the system; and may include an evaluation of capital and operational needs for risk and resilience management for the system.
  • Preparing or revising, where necessary, an emergency response plan that incorporates the assessment's findings, which shall include strategies and resources to improve the system's resilience, including the system's physical security and cybersecurity

WaterISAC is listed and recommended alongside CISA, NIST, and the American Water Works Association (AWWA) in the Cybersecurity Tools and Guidance section of the guidance and is mentioned as a resource for proper reporting of cybersecurity incidents.

The EPA reminds the water sector that “WWSs are frequent targets of malicious cyber activity, which has the potential to interfere with operations and may result in significant response and recovery costs. Of particular concern, a cyberattack on a vulnerable WWS may allow an adversary to manipulate operational technology, which could disrupt the production of clean and safe water.” Access the full guidance at EPA.