EPA orders US states to check cyber security of public water supplies
Don’t let miscreants poison the wells
The US government is requiring states to assess the cyber security capabilities of their drinking water systems, part of the White House's broader efforts to protect the nation's critical infrastructure from attacks by nation-states and other cyber threats.
The Environmental Protection Agency (EPA) is outlining steps public water systems officials need to take to protect drinking water supplies, and mandating cyber security assessments in their 'sanitary surveys' of the water systems.
The requirements, released late last week, come after months of work by the EPA and a survey finding that while many public water systems (PWSs) have cyber security programs in place, too many others do not.
That's not good enough at a time when the country's critical infrastructure – including water systems – is under growing attack, Radhika Fox, assistant administrator for water for the EPA, wrote in a memorandum [PDF].
"Today, PWSs are frequent targets of malicious cyber activity, which has the same or even greater potential to compromise the treatment and distribution of safe drinking water as a physical attack," Fox wrote.
"Clarifying that cyber security must be evaluated in reviewing operational technology that is part of a PWS's equipment or operation during sanitary surveys or other state programs will help reduce the likelihood of a successful cyber attack on a PWS and improve recovery if a cyber incident occurs."
A national patchwork of systems
The survey highlighted the patchwork nature of the drinking water supply environment in the US – one of the challenges in trying to institute cyber security standards.
According to a report last year by the Senate's Republican Policy Committee, there are about 153,000 public drinking water systems in the country that provide potable dihydrogen monoxide to 80 percent of the American population.
Security software maker Tripwire said in a September 2022 report that many of the water systems in the country "are small, serving low-density communities and functioning on limited budgets. The fragmented nature of water utility coverage coupled with low budgets and limited technological expertise means many systems are outdated and under-protected."
- Biden now wants to toughen up chemical sector's cybersecurity
- Moody's turns up the heat on 'riskiest' sectors for cyberattacks
- LOL EPA OIG NDA WTF: Eco-watchdog's auditors barred from seeing own agency's cloud security report by gagging order
- Ransomware attack on UK water company clouded by confusion
It's not only the number of water systems that is a headache. Over the past two decades, public water administrators have increasingly relied on electronic tools to operate their water systems, but those electronic systems now are vulnerable to cyber attacks, Fox wrote.
According to the 2021 report [PDF] from the Water Sector Coordinating Council, a strategy organization for the water and wastewater systems sector, cybersecurity is a top priority in the industry, from training and education to assessments and tools.
There have been incidents
In 2021, a former employee with the Post Rock Rural Water District in Ellsworth, Kansas, was indicted on federal charges of tampering with the water system by remotely accessing it and shutting it down.
Also in 2021, someone remotely accessed the water system in Oldsmar, Florida, and tried to poison it by increasing the sodium hydroxide levels to more than 100 times the normal amount.
The EPA is now pushing all public water systems to build up protections against such attacks.
"Americans deserve to have confidence in their water systems' resilience to cyber attackers," Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said in a statement, adding that the EPA's approach is deliberately flexible so water system administrators can adapt it to their needs while maintaining safe supplies.
If a public water system uses operational technology like an industrial control system (ICS) in its operations, then as part of the larger sanitary survey, the evaluation also must include the cyber security protections of the OT, such as practices and controls, according to the agency.
If "significant deficiencies" in the cyber security protections are found – such as design or operational defects or malfunctioning or failing water treatment, storage, or distributions systems – the state must ensure the PWS addresses it.
The EPA is giving some organizations more leeway depending on the programs they already have in place, ranging from enabling water system operators to self-assess their systems, letting third parties do the work, or having the states run the assessments.
The agency has also offered to provide technical assistance and training, as well as financial help through such programs as the Drinking Water State Revolving Fund and Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Program.
Under the Biden administration, the Cybersecurity and Infrastructure Security Agency (CISA), and other government entities have worked to bolster the cyber security of critical infrastructure in 16 sectors over time – such as chemical, oil, electric, gas, and water. It's part of the White House's ICS Cybersecurity Initiative that launched in 2021.
The program came in the wake of the ransomware attack on Colonial Pipeline that year by the Russia-link group DarkSide that choked delivers of fuel to some major East Coast markets. Soon after, global meat processing company JBS Foods was hit by a sophisticated cyber attack that affected facilities in the US, Canada, and Australia. ®