EPA Has ‘New Rules’ for Protecting Public Drinking Water

The EPA isn’t mincing words when it comes to protecting public drinking water. Earlier this month they released a memorandum putting specifics into the general advice to maintain cybersecurity at public water systems (PWSs). Per the report, “[The] EPA clarifies with this memorandum that states must evaluate the cybersecurity of operational technology used by a PWS when conducting PWS sanitary surveys.” That’s pretty straightforward.

Operational Technology (OT) has always been a thorn in the side of industrial complexes, especially as digitization has inspired many to improve with IoT advancements. Now new IT and old OT are mixing, and the results are less than savory. Old OT (with its inherent vulnerabilities) provides the perfect inroad for criminal hackers looking for low entry-fee ways to infiltrate a highly valuable – and increasingly more sophisticated – environment. They get in through some stale, forgotten OT vulnerability then move laterally through the network or burrow up into the cloud. Either way, the result is all bad.

This memorandum, “Addressing Public Water System Cybersecurity in Sanitary Surveys or an Alternate Process,” goes over the nuts and bolts of how to do PWS sanitary surveys with cybersecurity constantly in mind. Here are the basics.

1. Section 1: Somebody needs to assess PWS cybersecurity practices (be it you, a third-party, the state, or another agency)  
   Accounting for all the differences in state capabilities – some may have robust resources, other’s are scarce – the EPA is just specifying that by hook or crook, some entity needs to evaluate cybersecurity practices when surveying public water systems. It can be a self-assessment by the PWS itself ‘using a government or private-sector method approved by the state.’ It can be performed by a third-party. It can be done by state surveyors. Or it can be nested under an ‘alternative state program’ such as homeland security, so long as the cybersecurity posture of the PWS is assessed. The purpose of these evaluations of course is to identify security gaps.
2. Section 2: The EPA will provide technical assistance to put cybersecurity in these PWS surveys
   In the event that resources are truly scarce, the EPA is stepping up and offering to provide technical assistance, along with guidance and training, pursuant to getting cybersecurity evaluations implemented in PWS sanitary surveys. The specific types of assistance are outlined here. Generally, they include:
   • Guidance | An ‘optional checklist’ of cybersecurity practices to help states:
     • Assess PWS cybersecurity
     • Identify gaps and deficiencies
     • Remediate
   • Training | The ‘how to’ of evaluating cybersecurity at a PWS, including:
     • Identifying gaps and deficiencies
     • Remediation practices
     • Information protection
     • Technical assistance (from the EPA and others)
     • Funding
   • Technical Assistance | A subject-matter expert (SME) available for technical consultation:
     • Is this security gap significant enough?
     • What is the appropriate risk mitigation?
     • This is all under the newly created “Cybersecurity Technical Assistance Program for the Water Sector”
3. Addendum: Here’s why implementing cybersecurity in PWS sanitary surveys is so important, plus more helpful resources.   
   • Does this new memorandum apply to me?
     Yes. It applies to all states, territories and tribes with a public water system (PWS). In any period of time in which these entities do not have primary enforcement over a PWS, the responsibility goes to the EPA. In which case the answer is still, yes.
   • What actions is the EPA taking?
     The EPA is ‘interpreting its existing regulations’ regarding states’ duties over PWS sanitary surveys. In other words, they are nailing down specifics and making everything painfully clear. For example:
     • The eight requirements of a PWS sanitary survey
     • The requirement to take necessary corrective actions
     • A mandatory review of SCADA systems
     • The need to review emergency response plans
     • A cybersecurity assessment should already be a part of PWS surveys, considering the purpose of the latter is to “evaluate the adequacy of the system, its sources and operations and the distribution of safe drinking water.”
   • Why is the EPA communicating this now?
     In short, because threats are increasing, and legacy water infrastructure can’t keep up – nor can legacy water cybersecurity methods.
     • OT like SCADA is now widespread
     • They reduce staffing and increase remote monitoring, but also introduce a lot of vulnerabilities
     • Malicious events have already happened, and will continue to happen if defenses aren’t raised
     • Note: The National Cyber Awareness System (managed by CISA) issues alerts to CNI sectors, including water. The mitigation strategies included in these alerts follow NIST best practices and can be effective in preventing attacks.
   • How does this relate to America’s Water Infrastructure Act of 2018 (AWIA)?
     While AWIA mandates the review of electronic systems and requires an emergency plan, it does not specifically require any cybersecurity best practices. The EPA has full jurisdiction to implement the regulatory requirements that it did, and they are all inter-compliant with AWIA guidelines.
   • What additional resources are available?
     Here is a list of resources available to help states comply with these new EPA requirements and put cybersecurity assessments into PWS sanitary surveys:
     • Technical
       • See Section 1 for a list of government and private sector methods you can use to perform the cybersecurity assessment
       • The NIST Cybersecurity Framework
       • DHS CISA
       • CISA Cybersecurity Advisors (CSAs), located in ten regional offices
       • USDA Rural Development Circuit Rider Program provides technical assistance to rural water systems serving 10,000 or less
       • Water ISAC (Information Sharing and Analysis Center)
       • Multi-State ISAC
       • Private water associations like the AWWA (American Water Works Association) and NRWA (National Rural Water Association)
     • Financial
       • DWSRF (Drinking Water State Revolving Fund)
       • EPA’s Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Program
       • USDA Rural Utilities Service Water and Environmental Programs
       • DHS State and Local Cybersecurity Grant Program, managed jointly by CISA
   • Can we keep sensitive information about our cybersecurity program undisclosed?
     Yes, it may be necessary. While government agencies operate on transparency, for common sense purposes, sensitive PWA-related cybersecurity specifics should be kept confidential.
     • Where the EPA does the assessment, it plans to implement Freedom of Information Act (FOLA) exemptions to keep PWS cybersecurity information safe.
     • Where states do the assessment, they will be in charge of how to keep it confidential.
     • The EPA offers guidance in Section 2 about how to keep the sensitive parts separate from the rest of the report, and undisclosed.  
   • Any additional PWS sanitary survey requirements we should know about?
     All requirements are outlined in 40 CFR parts 141 and 142.
     • Every three years for community water systems, every five years for non-community
       • You can also do the sanitary surveys in stages
     • If the EPA does the survey, it defines a ‘significant deficiency’ in 40 CFR Section 141.723
     • If the state does the survey, it has to define what constitutes a ‘significant deficiency’
   • Did the EPA engage stakeholders in this process?
     Yes, the EPA included the Association of State Drinking Water Administrators (ASDWA), representatives from state and tribal drinking agencies, and leaders of the major drinking water sector associations. It also met with the Water Sector Coordinating Council and Water Government Coordinating Council throughout 2022.

While these rules may seem granularly specific, that much is needed. With so many competing priorities – day to day operations, ‘small fires,’ constant threat lookout, keeping the lights on, staying up with existing compliance requirements – it’s no wonder anything previously ‘unrequired’ and unspecified wasn’t attended to. Here’s to a change.

Now, the risk to public safety through a possible compromise of the water system is so high that government agencies like the EPA have to take matters into their own hands. Many say, it’s about time.

Fortra’s Tripwire has 25+ years of experience building solutions that thousands of companies worldwide have grown to trust as the foundation of their cybersecurity and compliance programs. Industrial organizations trust Tripwire to accurately detect suspicious changes and prevent future incidents by discovering and prioritizing risks. Our industrial solutions span IT and OT environments, turning raw data into actionable information, providing deep visibility, and integrating seamlessly with other solutions. They also keep ICS operators audit-ready for regulations like NERC CIP, NIST, and the Center for Internet Security’s CIS Controls.

Learn more about our industry-leading enterprise cybersecurity solutions today.