The US government is requiring states to assess the cybersecurity capabilities of their drinking water systems, part of the White House’s broader efforts to protect the nation’s critical infrastructure from attacks by nation-states and other cyberthreats.
The Environmental Protection Agency (EPA) is outlining steps public water systems officials need to take to protect drinking water supplies, and mandating cybersecurity assessments in their ‘sanitary surveys’ of the water systems.
The requirements, released late last week, come after months of work by the EPA and a survey finding that while many public water systems (PWSs) have cybersecurity programs in place, too many others do not.
That’s not good enough at a time when the country’s critical infrastructure – including water systems – are under growing attack, Radhika Fox, assistant administrator for water for the EPA, wrote in a memorandum [PDF].
“Today, PWSs are frequent targets of malicious cyber activity, which has the same or even greater potential to compromise the treatment and distribution of safe drinking water as a physical attack,” Fox wrote.
“Clarifying that cybersecurity must be evaluated in reviewing operational technology that is part of a PWS’s equipment or operation during sanitary surveys or other state programs will help reduce the likelihood of a successful cyber-attack on a PWS and improve recovery if a cyber incident occurs.”
A national patchwork of systems
The survey highlighted the patchwork nature of the drinking water supply environment in the US, one of the challenges in trying to institute cybersecurity standards.
According to a report last year by the US Senate’s Republican Policy Committee, there are about 153,000 public drinking water systems in the country that provide potable dihydrogen oxide to 80 percent of the American population.
Security software maker Tripwire said in a September 2022 report that many of the water systems in the country “are small, serving low-density communities and functioning on limited budgets. The fragmented nature of water utility coverage coupled with low budgets and limited technological expertise means many systems are outdated and under-protected.”
It’s not only the number of water systems that is a headache. Over the past two decades, public water administrators have increasingly relied on electronic tools to operate their water systems but those electronic systems now are vulnerable to cyberattacks, Fox wrote.
A 2021 report [PDF] from the Water Sector Coordinating Council, a strategy organization for the water and wastewater systems sector, cybersecurity is a top priority in the industry, from training and education to assessments and tools.
There have been incidents
In 2021, a former employee with the Post Rock Rural Water District in Ellsworth, Kansas, was indicted on federal charges of tampering with the water system by remotely accessing it and shutting it down.
Also in 2021, someone remotely accessed the water system in Oldsmar, Florida, and tried to poison it by increasing the sodium hydroxide levels to more than 100 times the normal amount.
The EPA is now pushing all public water systems to build up protections against such attacks.
“Americans deserve to have confidence in their water systems’ resilience to cyber attackers,” Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said in a statement, adding that the EPA’s approach is purposely flexible so water system administrators can adapt it to their needs while maintaining safe supplies.
If a public water system uses operational technology like an industrial control system (ICS) in its operations, then as part of the larger sanitary survey, the evaluation also must include the cybersecurity protections of the OT, such as practices and controls, according to the agency.
If “significant deficiencies” in the cybersecurity protections are found – such as design or operational defects or malfunctioning or failing water treatment, storage, or distributions systems – the state must ensure the PWS addresses it.
The EPA is giving some organizations more leeway depending on the programs they already have in place, ranging from enabling water system operators to self-assess their systems, letting third parties do the work, or having the states run the assessments.
The agency has also offered to provide technical assistance and training, as well as financial help through such programs as the Drinking Water State Revolving Fund and Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Program.
Under the Biden Administration, the Cybersecurity and Infrastructure Security Agency (CISA), and other government entities have worked to bolster the cybersecurity of critical infrastructure in 16 sectors over time, such as chemical, oil, electric, gas, and water. It’s part of the White House’s ICS Cybersecurity Initiative that launched in 2021.
The program came in the wake of the ransomware attack on Colonial Pipeline that year by the Russia-link group DarkSide that choked delivers of fuel to some major East Coast markets. Soon after, global meat processing company JBS Foods was hit by a sophisticated cyberattack that affected facilities in the US, Canada, and Australia. ®