Critical Infrastructure Security, Compliance Management
EPA memo pushes states to include cybersecurity in water safety reviews

The EPA sent a memo to states reinterpreting the 1974 Safe Drinking Water Act to require regular assessments of cybersecurity vulnerabilities in public water systems. (Photo by Brandon Bell/Getty Images)
One day after the Biden administration rolled out a new national cyber strategy that leans heavily on using existing regulatory authorities to improve cybersecurity standards within critical infrastructure, the Environmental Protection Agency announced it is reinterpreting a decades-old environmental law to impose higher cybersecurity standards on public water systems.The 1974 Safe Drinking Water Act allows the EPA to establish minimum, baseline safety standards to prevent the contamination of waters that are actually or potentially designed for drinking use. Such systems must conduct regular audits — called sanitary surveys — that review and assess the functionality of public water systems.States and water utilities conduct regular audits — called sanitary surveys — that review and assess the functionality of public water systems. In a memo sent to states Friday morning, the agency said that they must now also evaluate whether cybersecurity weaknesses or vulnerabilities pose a threat to safe drinking water where utilities rely on remote or automated systems to operate.Radhika Fox, deputy EPA administrator, said the memorandum expands EPA’s interpretation of the law to include consideration of potential cyber, as well as physical, threats to water systems. “Historically, sanitary surveys have been utilized to protect water utilities from physical vulnerabilities. Under our new cyber memorandum, we have clarified that sanitary surveys must also include cybersecurity, as well as physical security, as essential to being able to deliver clean, safe water,” Fox told reporters in a press briefing Thursday.According to an EPA fact sheet provided to reporters, the memo states that any public water system which relies on an industrial control system or other operational technology and is a necessary component of a sanitary survey will now be required to “evaluate the adequacy of the cybersecurity of that operational technology for producing and distributing safe drinking water.” If a cybersecurity deficiency is discovered through the survey, states would be compelled to use their own regulatory authorities to force the affected water utility to address it.For cybersecurity purposes, the EPA is defining “significant deficiencies” as “the absence of a practice or control, or the presence of a vulnerability, that has a high risk of being exploited, either directly or indirectly, to compromise an operational technology used in the treatment or distribution of drinking water.”Utilities can address any identified problems in a variety of ways, either through self- or third-party assessments, state-led evaluations of cybersecurity practices, or existing state cybersecurity programs for critical infrastructure. The EPA also provides its own technical cybersecurity support services upon request.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds