March 6, 2023

The Environmental Protection Agency (EPA) announced that water utilities will be required to improve their cybersecurity measures. The EPA is concerned about the possibility of cyberattacks causing water supply disruptions.

Water utilities will be required to conduct regular risk assessments and develop plans for responding to cyberattacks under the new rules. They will also be required to implement a variety of technical security measures, such as firewalls and encryption, to protect their networks.

The EPA will require states to survey the digital networks that govern drinking water filtration operations under the national framework. This comes after a slew of cyberattacks on critical infrastructure in the United States, with water systems being the most recent targets. The EPA insists that states include cybersecurity in their periodic audits of water systems (known as “sanitary surveys”) and highlights various approaches that states can take to fulfill this responsibility.

“Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyber-attacks have the potential to contaminate drinking water, which threatens public health,” said EPA Assistant Administrator for Water Radhika Fox. “EPA is taking action to protect our public water systems by issuing this memorandum requiring states to audit the cybersecurity practices of local water systems.”

The EPA will also assist states in assessing the security of their water systems. The new “Evaluating Cybersecurity During Public Water Sanitary Surveys” guidance will assist state governments in incorporating a stronger cybersecurity posture into their existing water purification systems.

The sources for this piece include an article in Axios.