top of page

US EPA Announces New Cybersecurity Standards for Critical Water Infrastructure

In recent years, cybersecurity has become an increasingly critical issue for industries of all kinds. The threat of cyberattacks has led to the development of stringent security protocols, particularly for organizations responsible for critical infrastructure. Now, the United States Environmental Protection Agency (EPA) is implementing new rules that will require state governments to audit public water utilities for cybersecurity procedures and preparedness.

According to a survey conducted by the Water Sector Coordinating Council, nearly 60% of water and wastewater sector respondents reported conducting cybersecurity risk assessments less than once a year, never, or had no idea when they were conducted. The top challenges for the sector included minimizing control system exposure, risk assessment, vulnerability detection, identifying threats and best practices, and incident/emergency planning. Shockingly, over 42% of respondents said their utility had no cybersecurity component to their risk management plan.

These statistics highlight the critical need for improved cybersecurity in the water sector. An attack on a water system could have immediate and widespread physical consequences, making it a point of particular concern for federal officials. In 2021, hackers allegedly deleted programs controlling water treatment at a San Francisco Bay Area plant, while another incident that year in Florida saw a threat actor attempt to pump dangerous amounts of sodium hydroxide (also known as lye) into a municipal water system.

The EPA’s new guidance is intended for immediate implementation, and the agency is accepting public comments until May 31, 2023. The extensive checklist the EPA has distributed states that “potential significant deficiencies” can include everything from use of default or insecure passwords in operational technology to inadequate vulnerability mitigation, a lack of a named cybersecurity chief, separately stored backups, or incident response plan.

To help water utilities comply with the new guidelines, the EPA has offered “nationwide, comprehensive training and technical assistance.” The agency has conducted separate training sessions for both state officials and utility operators, and it is also prepared to conduct cybersecurity assessments at water systems if requested by the state. It is commendable that EPA has positioned to develop the capacity of water providers to ensure that they are well equipped to fulfill the new guidelines. This is light years away from what regulators and policy makers in developing economies like Kenya are currently prepared to do despite the available resources for this from various interested parties. The EPA hopes that these guidelines will promote the use of best practices, such as strong passwords and multi-factor authentication, that reduce the risk of a cyberattack compromising clean and safe drinking water.

While the new rules have spurred some pushback from both water utilities and some experts who question whether site surveyors have the right skill-sets to conduct the assessments, the solution lies on working closely with cybersecurity experts during the surveys. This will result in sustainable collaboration and maximum utilisation of available minimal resources considering the looming shortage of cybersecurity skills globally.

Ultimately, the EPA's efforts to improve cybersecurity in the water sector will help ensure that our critical infrastructure is more secure and resilient. With these new standards in place, water utilities will be better prepared to prevent and respond to cyber threats, protecting public health and safety.

15 views0 comments


bottom of page