The U.S. Environmental Protection Agency released a memorandum requiring states to assess the cybersecurity risks of drinking water systems.
While some public water systems have already enhanced their cybersecurity, many have yet to adopt the best practices and are at a high risk of cyberattacks, according to a March 3 EPA news release.
“Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyber-attacks have the potential to contaminate drinking water, which threatens public health,” EPA Assistant Administrator for Water Radhika Fox said in the release. “EPA is taking action to protect our public water systems by issuing this memorandum requiring states to audit the cybersecurity practices of local water systems."
The EPA is also providing technical assistance and resources to assist states as they strengthen their cybersecurity, the release reported. The agency's guidance document, titled Evaluating Cybersecurity During Public Water Sanitary Surveys, includes information on evaluating and improving the cybersecurity of operational technology used to provide safe drinking water.
"Americans deserve to have confidence in their water systems' resilience to cyber attackers," Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger said in the release. "The EPA's new action requires water systems to implement adequate cybersecurity to provide that confidence. EPA used a flexible approach to enable water systems to craft the most effective ways to protect water services."
The EPA will be offering additional training on how to implement strong cybersecurity measures and use the available resources, the release reported. The agency is also offering consultations with subject matter experts and direct technical assistance to water systems to conduct assessments of their cybersecurity practices and their plans for closing any gaps in security.
"The EPA's action is another step in the administration's relentless focus on improving the cybersecurity of critical infrastructure by setting minimum cybersecurity measures for owners and operators of the water, pipelines rail other critical services Americans rely on," Neuberger added, according to the release.