On March 3, 2023, the United States Environmental Protection Agency (“EPA”) published a memorandum requiring states to evaluate the cybersecurity of operational technology used by public water systems (“PWSs”) “when conducting PWS sanitary surveys or through other state programs.” EPA’s memorandum “interprets the regulatory requirements relating to the conduct of sanitary surveys to require that when a PWS uses operational technology (“OT”), such as an industrial control system (“ICS”), as part of the equipment or operation of any required component of a sanitary survey, then the sanitary survey of that PWS must include an evaluation of the adequacy of the cybersecurity of that operational technology for producing and distributing safe drinking water.” Specifically, “EPA’s interpretation clarifies that the regulatory requirement to review the ‘equipment’ and ‘operation’ of a PWS necessarily encompasses a review of the cybersecurity practices and controls needed to maintain the integrity and continued functioning of operational technology of the PWS that could impact the supply or safety of the water provided to customers.”
EPA specifies that during sanitary surveys of PWSs, states must:
- Evaluate the adequacy of the cybersecurity of OT for producing and distributing safe drinking water, if the “PWS uses an ICS or other [OT] as part of the equipment or operation of any required component of the sanitary survey[;]” and
- Use the state’s authority to require the PWS to address any identified significant deficiencies.
Significant Deficiencies. In terms of cybersecurity, EPA states that “significant deficiencies should include the absence of a practice or control, or the presence of a vulnerability, that has a high risk of being exploited, either directly or indirectly, to compromise an operational technology used in the treatment or distribution of drinking water.
Approaches to Include the Assessment of Cybersecurity as Part of PWS Sanitary Surveys. EPA’s memorandum provides different approaches that states could employ to evaluate cybersecurity at PWSs, including:
- Self-Assessment or third-party assessment of cybersecurity practices;
- State evaluation of cybersecurity practices during the sanitary survey; or
- Alternative state program for water system cybersecurity.
EPA Technical Assistance. To support implementation, EPA’s memorandum references various resources for PWSs and states, such as:
- Guidance Documents – In conjunction with its memorandum, EPA published a guidance document, Evaluating Cybersecurity During PWS Sanitary Surveys, for public comment, which “includes an optional checklist of cybersecurity practices” to (1) assess cybersecurity at a PWS, (2) identify gaps, including potential significant deficiencies, and (3) select appropriate remediation actions. EPA’s checklist draws upon the U.S. Cybersecurity and Infrastructure Security Agency’s Cross-Sector Cybersecurity Performance Goals.
- Training – Starting this year, EPA will offer training for PWSs and states “on evaluating cybersecurity in sanitary surveys.”
- Technical Assistance – EPA has established a Cybersecurity Technical Assistance Program for the Water Sector, within which PWSs “can submit questions or request to consult with a subject matter expert regarding cybersecurity in PWS sanitary surveys[.]” EPA notes that this technical assistance “will not be an emergency line to report cyber incidents and it will not serve as a resource for cyber incident response or recovery efforts[.]” Additionally, EPA intends to carry out assessments of cybersecurity practices at PWSs through its Water Sector Cybersecurity Evaluation Program. A link to register for the program is included within the memorandum.
Looking Ahead. EPA’s memorandum requiring states to address the cybersecurity of PWSs follows quickly after the White House’s release of its new National Cybersecurity Strategy, which calls for the need to use minimum cybersecurity requirements, as opposed to voluntary measures, in critical sectors to enhance national security and public safety. EPA’s focus on cybersecurity accords with the Strategy’s shift towards a more regulatory-focused cybersecurity approach.