EPA memo pushes states to include cybersecurity in water safety reviews

One day after the Biden administration rolled out a new national cyber strategy that leans heavily on using existing regulatory authorities to improve cybersecurity standards within critical infrastructure, the Environmental Protection Agency announced it is reinterpreting a decades-old environmental law to impose higher cybersecurity standards on public water systems.

The 1974 Safe Drinking Water Act allows the EPA to establish minimum, baseline safety standards to prevent the contamination of waters that are actually or potentially designed for drinking use. Such systems must conduct regular audits — called sanitary surveys — that review and assess the functionality of public water systems.

States and water utilities conduct regular audits — called sanitary surveys — that review and assess the functionality of public water systems. In a memo sent to states Friday morning, the agency said that they must now also evaluate whether cybersecurity weaknesses or vulnerabilities pose a threat to safe drinking water where utilities rely on remote or automated systems to operate.

Radhika Fox, deputy EPA administrator, said the memorandum expands EPA’s interpretation of the law to include consideration of potential cyber, as well as physical, threats to water systems.

“Historically, sanitary surveys have been utilized to protect water utilities from physical vulnerabilities. Under our new cyber memorandum, we have clarified that sanitary surveys must also include cybersecurity, as well as physical security, as essential to being able to deliver clean, safe water,” Fox told reporters in a press briefing Thursday.

According to an EPA fact sheet provided to reporters, the memo states that any public water system which relies on an industrial control system or other operational technology and is a necessary component of a sanitary survey will now be required to “evaluate the adequacy of the cybersecurity of that operational technology for producing and distributing safe drinking water.” If a cybersecurity deficiency is discovered through the survey, states would be compelled to use their own regulatory authorities to force the affected water utility to address it.

For cybersecurity purposes, the EPA is defining “significant deficiencies” as “the absence of a practice or control, or the presence of a vulnerability, that has a high risk of being exploited, either directly or indirectly, to compromise an operational technology used in the treatment or distribution of drinking water.”

Utilities can address any identified problems in a variety of ways, either through self- or third-party assessments, state-led evaluations of cybersecurity practices, or existing state cybersecurity programs for critical infrastructure. The EPA also provides its own technical cybersecurity support services upon request.

Cyber threat to water utilities 'not a hypothetical'

Fox characterized the new requirements as essential to protecting the safety of the nation’s drinking water and stressed “this is not a hypothetical” threat, noting that the agency has seen malicious cyber incidents affecting water systems in California, Florida, Kansas, Maine and Nevada.

Perhaps the most notorious example of the peril water systems face happened in 2021, when a remote access system at a water treatment plant in Oldsmar, Florida, was hijacked by hackers who attempted to increase the amount of sodium hydroxide in the water from 100 parts per million to 11,100 parts per million. Also known as lye, the substance is used in drain cleaners to reduce the acidity of water and make it more potable, but too much can make the water caustic and potentially deadly.

“What we know is that cyberattacks that are targeting water systems pose a real and significant threat to our security,” Fox said. “Incidents of malicious attacks on water systems have done things such as shut down critical treatment processes, locked control systems behind ransomware and even disabled communications used to monitor and control distribution system infrastructure [like] pumping stations.”

Anne Neuberger, deputy national security advisor for cybersecurity and emerging technology on the White House National Security Council, told reporters that the EPA actions are a “key example” of the kind of existing regulatory authorities the administration is seeking to leverage in order to protect critical or essential American services from cyber threats.

In a speaking engagement earlier Thursday, Neuberger said the White House has assessed that most of the regulations they intend to pursue fall under similar, existing authorities at federal agencies, while efforts to impose baseline standards in other sectors, like education and critical manufacturing, will likely require congressional action.

Mike Hamilton, a former CISO for the City of Seattle and former vice-chair of the DHS State, Local, Tribal, and Territorial Government Coordinating Council, cast the memo as a reasonable expansion of EPA’s writ to account for the modern reality that cyber attacks directed at operational technologies can have dangerous physical effects.

“It’s clear that this guidance is using an existing authority of the EPA as the sector-specific agency for water and waste. Because the EPA has historically only regulated water purity, they’re using the existing sanitary survey audits to subtly expand their purview,” said Hamilton, currently a founder and CISO at Critical Insight, a cybersecurity firm focused on critical infrastructure entities. “To the extent that cyber exposures for operational technologies can be compromised to affect water safety this makes sense.”

Jennifer Lyn Walker, director of infrastructure cyber defense at WaterISAC, said her organization supports EPA's efforts to ensure as many public water systems as possible are discussing cybersecurity in their assessments, and endorsed the concept of states and utilities having multiple pathways to building those considerations into assessments like sanitary surveys.

While the agency is offering technical assistance to states and water utilities at no charge, the reality is that cybersecurity is a cost of doing business for every organization, and even light-touch regulations can result in new financial burdens being placed on already cash-strapped states and localities.

"My hope is that authorities will make it easier to obtain grant funding, especially for smaller or less resourced systems who need to make significant improvements," Walker told SC Media.