In a recent memorandum to State Drinking Water Administrators, the U.S. Environmental Protection Agency (EPA) outlined essential steps to address cybersecurity gaps in Public Water Systems (PWSs).
The EPA has federal oversight to protect clean and safe drinking water, but it has delegated primary enforcement responsibility to states and tribal governments. Through its partnership with state entities, the EPA’s mission is to ensure that PWSs are employing essential cybersecurity best practices to protect public health. Despite the EPA’s mission, a recent survey unveiled that PWSs have failed to adopt basic cybersecurity best practices, thus putting them at high risk of being victimized by a cyber-attack1. The survey results are particularly concerning, given the increased malicious cyber activities against critical infrastructure. The EPA’s memorandum has elevated the priority of addressing cybersecurity gaps by providing various approaches to include cybersecurity in PWS sanitary surveys or other state programs.
Sanitary surveys are conducted periodically at PWSs to help states identify significant deficiencies that must be addressed. Any significant deficiencies found during sanitary surveys must be remediated in a timely manner. Much like significant deficiencies in the physical environment of a PWS, a compromised Operational Technology (OT) system with significant deficiencies could impact the physical environment and potentially cause adverse effects to public health. The EPA defines a significant cybersecurity deficiency to include “the absence of a practice or control, or the presence of a vulnerability, that has a high risk of being exploited, either directly or indirectly, to compromise an operational technology used in the treatment or distribution of drinking water.”2
EPA Issued a Rule to Add Cybersecurity in Sanitary Surveys, Now What?
The EPA memorandum provides a proactive and flexible way for states to assess the cybersecurity posture of PWSs on a periodic basis, using one of the following options:
- Conduct PWS Self-assessment of Cybersecurity Practices – Some states may require that PWSs conduct a self-assessment using a government or private-sector method that has been approved by the state to identify cybersecurity gaps. Examples of approved methods would include those from the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA), American Water Works Association (AWWA), National Institute of Standards and Technology (NIST), and others.
- Engage Third-party for the Assessment – PWSs could engage an outside third-party that is approved by the state (e.g., LSI) to conduct the cybersecurity assessment.
- Evaluate Cybersecurity During Sanitary Surveys – During periodic evaluations, states could choose to evaluate the cybersecurity of OT systems during the sanitary surveys, to determine if significant deficiencies exist.
- Use an Alternative State Program – A state may utilize their established cybersecurity program as an alternative to including cybersecurity in its sanitary surveys. The frequency of the cybersecurity assessment must be conducted at least as often as the required sanitary surveys.3
Key Takeaways from EPA’s Memorandum
The EPA took an audacious step to include cybersecurity in sanitary surveys. However, evaluating the cybersecurity of PWSs is logical and consistent with the purpose of sanitary surveys. The primary objective of sanitary surveys is to evaluate the adequacy of the system, sources, operations, and the distribution of safe drinking water. In past cybersecurity incidents, malicious cyber-attackers have demonstrated that a compromised OT system can prevent PWS from being able to adequately distribute safe drinking water.
Three key takeaways from EPA’s memorandum would include:
- Some PWSs still have significant cybersecurity gaps.
- Sanitary surveys will include a component to evaluate the cybersecurity of OT systems used by the PWS.
- The EPA is ramping up its efforts to help PWSs address cybersecurity gaps.
Immediate Actions that PWSs and Other Organizations can Take to Mitigate Risks
Cybersecurity assessments provide a valuable way to identify risks to PWSs. However, there are some immediate actions that could be taken to enhance cybersecurity and improve the resilience of PWSs and other critical infrastructure. Some proven countermeasures that mitigate risks to organizations include, but not limited to the following:
Infrastructure Security – Segment & Monitor
- Zone Segmentation – Implement security zones (e.g., Industrial DMZ to separate IT and OT zones).
- VLAN Segmentation – Employ Virtual Local Area Network (VLANs) to segment traffic.
- Secure Remote Access – Implement only if required and use a VPN with MFA and other access controls.
- Monitor Traffic to OT Zone – A firewall should deny all traffic to ICS by default and monitor all traffic.
Endpoint Security – Identify, Protect, & Detect
- Identify hardware and software assets – Use asset inventory methods to determine versions.
- Harden systems – Remove unnecessary and unsupported software to reduce the attack vector.
- Configure auditing – Network devices should have auditing configured to detect security events.
- Configure Logging – Endpoint devices should be configured to send logs to a centralized server.
Resiliency – Respond & Recover
- Incident Response Plan (IRP) – IRP and other emergency plans should exist and be verified for response.
- Disaster Recovery Plan (DRP) – A DRP should include the process of recovering critical systems.
- Configuration Backups – All critical systems must be backed up using the principle of backup-in-depth.
1 U.S. Environmental Protection Agency. (2023, March 23). Addressing PWS Cybersecurity in Sanitary Surveys or an Alternate Process. Retrieved May 2, 2023, from https://www.epa.gov/system/files/documents/2023-03/Addressing%20PWS%20Cybersecurity%20in%20Sanitary%20Surveys%20Memo_March%202023.pdf
2 U.S. Environmental Protection Agency. (2023, March). Evaluating Cybersecurity During Public Water System Sanitary Surveys. Retrieved May 2, 2023, from https://www.epa.gov/system/files/documents/2023-03/230228_Cyber%20SS%20Guidance_508c.pdf