US EPA Regulates Public Drinking Water for CybersecurityBiden Administration Says Ransomware and Other Incidents Demand Regulatory Response
Cybersecurity will take its place alongside chemical contaminant removal as an element the U.S. Environmental Protection Agency says public water systems must address as part of federally mandated periodic safety assessments.
See Also: Energy Sector Threat Brief
The EPA is invoking its powers under the Safe Drinking Water Act to make the security of operational technology a factor in the assessments, which the agency calls "sanitary surveys."
"Cyberattacks that are targeting water system pose are real and a significant threat," said Radhika Fox, EPA assistant administrator for the Office of Water, during a Thursday evening call with reporters. The EPA requires water systems to undergo a sanitary survey every three to five years.
The Biden administration has strongly hinted for months that it would step up regulatory requirements for public water systems as part of a strategy to use existing statutes such as the Safe Drinking Water Act to create new cybersecurity mandates for sectors of critical infrastructure. Some states have also directed local public water systems to incorporate cybersecurity into their sanitary surveys.
The EPA's announcement comes a day after the administration released a strategy for cybersecurity that calls on lawmakers to create new regulatory authorities (see: White House Unveils Biden's National Cybersecurity Strategy).
Concern over water system vulnerability to hacking has percolated for more than a decade but grown in tandem with the yearslong wave of ransomware attacks that have disrupted all sectors of critical infrastructure. Federal agencies in 2021 warned the public water sector to improve its security stance after observing a ransomware attack against a California facility causing three SCADA servers to display an extortion demand. The warning also cited ransomware incidents in Nevada, New Jersey and Maine.
It also cited a now-notorious 2019 incident at the Post Rock Rural Water District in which a former employee used his still-active remote desktop credentials to shut down the water treatment facility serving 10,000 in central Kansas. The man, Wyatt Travnichek, pleaded guilty and in May received a sentence of three years of probation (see: Public Water Systems at Cybersecurity Risk, Lawmakers Hear).
The EPA says public water systems have a number of options available to comply with the new regulatory mandate. They include self-assessments, third-party assessments or assessments by the state government. States can also incorporate water systems into existing state programs for closing cybersecurity gaps.
The agency released guidance on how it intends to evaluate cybersecurity and says public response to it will guide revisions.