New EPA Regulations Aim to Strengthen Cybersecurity of Public Water Systems

14-minute listen

Bottom Line Up Front (BLUF)

Just after President Biden issued the nation’s strategy on cybersecurity on 2 March 2023, the U.S. Environmental Protection Agency (EPA) released new cybersecurity guidance for states that manage public drinking water systems. Guidance from the EPA memo requires that states, “evaluate the effectiveness of the cybersecurity of a PWS to produce and distribute safe drinking water.” The EPA memo further clarifies that states must evaluate operational technology (OT) used within public water systems (PWS).

The EPA provides states with three different options to comply with the EPA mandate: 1) allow PWSs to do a cybersecurity self-assessment or have a third-party complete an assessment for them, 2) the states themselves conduct a cybersecurity assessment during an already required “sanitary survey”, and 3) if states already have an existing process for monitoring the cybersecurity of a PWS, they may leverage that.

Additional details are below on the new EPA mandates for PWSs and ideas from Natsar on how PWSs and states can comply. Natsar recommends PWSs strategize on how they will comply with this new EPA directive by engaging executive leadership and ensuring that future planning and budgeting activities include cybersecurity assessments, remediations, and mitigations.

Highlights

The new EPA guidance is mandatory for states, tribes, and territories to implement
Cybersecurity evaluations must be done with the same frequency as PWS sanitary surveys (typically every 3-5 years depending on various factors)
Any PWS using operational technology (OT) including industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems, are bound to these requirements
There are no exemptions for smaller PWSs, this mandate applies to “all PWSs rather than the subset of community water systems”

Details

On the heels of the 2 March 2023 U.S. National Cybersecurity Strategy release, the Environmental Protection Agency (EPA) released new cybersecurity requirements for public water systems (PWS). The new mandate requires states, tribes, and territories with jurisdiction over PWSs to assess the cybersecurity posture of any PWS that uses operational technology (OT) as part of the water system. The memo issued by EPA defines OT as “hardware and software that detects or causes a change through the direct monitoring or control of physical devices, processes, and events in the enterprise”. With the widespread use of OT, including industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA) within water systems, it will be rare to find a PWS that this mandate does not apply to.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), there are over 153,000 PWSs. If spread evenly across all 56 U.S. states and territories, it would mean 2,732 PWSs per state and territory. Water and wastewater treatment facilities are one of the 16 identified critical infrastructure sectors within the United States and have their own Information Security and Analysis Center. Recent cyberattacks against public utilities, including PWSs, have highlighted how vulnerable utilities are to a cyber threat actor (CTA). In January, 2021, a CTA successfully compromised a water treatment plant in the San Francisco, California area. They used credentials of a former employee to access systems remotely at the water plant and then delete various programs.

In another 2021 cyber-attack, CTAs compromised the water system in Oldsmar, Florida. In this attack, adversaries increased the amount of sodium hydroxide by 100 times the normal level. If personnel had not quickly caught this incident, an increase in that amount of sodium hydroxide could have had significant health effects for the residents. Both attacks were easily preventable and implementing even basic cybersecurity practices (commonly referred to as basic cyber hygiene) would have thwarted them.

Both attacks were easily preventable and implementing even basic cybersecurity practices (commonly referred to as basic cyber hygiene) would have thwarted them.

EPA’s answer to this growing cybersecurity risk is mandating states to ensure they conduct cybersecurity assessments for those PWSs within their purview. States have three options available to them under these new requirements. Those options are:

The PWS conducts its own self-assessment or has a private third-party assess its cybersecurity program and practices.
The state performs the assessment during the sanitary survey the state is already required to conduct.
An existing state program that provides cybersecurity for the PWS, such as a state homeland security department or similar.

While Natsar applauds the emphasis placed on cybersecurity of critical infrastructure, we assess a few challenges with the EPAs guidance as written, such as:

Most PWS entities do not have sufficiently trained or experienced personnel in the cybersecurity domain to conduct an effective self-assessment of their cybersecurity posture. Frankly, if the PWS had such staff, they already would have a cybersecurity program and strategy.
In Natsar’s experience, many states, and especially those states that already struggle with cybersecurity at the state-level, do not have the expertise or the capacity to perform assessments of the PWSs in their jurisdiction. Without hiring a significant staff, we do not believe any state could absorb this work for hundreds or even thousands of PWCs within their jurisdiction.
The EPA memo requires the state to approve any third-party assessor of a PWS. The lack of cybersecurity vendors with the expertise in assessing critical infrastructure and specifically OT environments combined with the realization that most states do not currently have such a list, means that this won’t be available quickly for most PWSs. It also will most likely mean that these third-party assessments could be prohibitively expensive for some jurisdictions.
The state sanitary survey of PWSs only occurs every three to five years, depending on certain factors. This is far too long to go between cybersecurity assessments with the rapid change of technology and cyber-attack tactics, techniques, and procedures. The federal government used to assess federal information systems on a three-year authority to operate (ATO) schedule and it was disastrous, leading to a new assessment and authorization program that requires continuous monitoring, diagnostics, and mitigation.
The PWSs do not have adequate guidance on how to track, prioritize, or validate deficiencies.
The EPA offers cybersecurity training and leveraging federal programs such as the CISA cybersecurity advisors (CSAs). While this is helpful, CSAs are already over-taxed and the likelihood that a few CISA employees in each state will dedicate sufficient time just to PWSs is not realistic.

The EPA did not discuss the ranking of gaps and vulnerabilities discovered during a cyber assessment in the EPA mandate with sufficient detail. The existing definition of “significant deficiencies” includes things such as failures, malfunctions, or a lack of maintenance that has the potential to cause contamination of water delivered to customers. EPA opines that “significant deficiencies” in cybersecurity could include the “absence of a practice or control, or the presence of a vulnerability that has a high risk of being exploited…”

EPA opines that "significant deficiencies" in cybersecurity could include the "absence of a practice or control, or the presence of a vulnerability that has a high risk of being exploited..."

The challenge with such broad terminology and lack of specificity is how it will apply to PWSs. For example, the use of multifactor authentication (MFA) is a control in every cybersecurity framework available today, yet many organizations still do not have it fully (or even partially) implemented. If a PWS does not have MFA, is that a “significant deficiency” and what does that really mean? It is not as if the water supply is going to be turned off for its consumers, so what will the forcing function be and the consequence for non-compliance? We are also curious how much discretion the state will have in determining how to address gaps that have been identified. Will PWSs have the ability to identify gaps and simply document them on a plan of action and milestones (POA&M) document, or will there be some formal acceptance of risk and mitigation plan by the state? It will be interesting to see how the various states adopt this new requirement.

Natsar Recommendations

Natsar’s staff has a long history of protecting state and local government and critical infrastructure. If you are interested in learning more about our capabilities and how we can help, contact us. We also have several documents and are building new courses on how to build cybersecurity programs and various frameworks. You can join a waiting list for courses by filling out this form.

The EPA produced a companion document to the above-mentioned memo called “Evaluating Cybersecurity During Public Water System Sanitary Surveys.” This document contains a checklist of cybersecurity practices written off of the CISA cross-sector cybersecurity performance goals (CPG). EPA has done some work in this document to clarify certain aspects of CPG for water systems and OT environments specifically and to contextualize the goals for PWS consumption.

It should be noted that the CPG is designed to be used with the National Institute of Standards and Technology (NIST) cybersecurity framework (CSF) and not as a replacement to it. Natsar recommends PWSs do the following to prepare for a cybersecurity assessment:

Select a framework to use with your organization to measure the implementation of cybersecurity controls and maturity. There are many models available, and most of them are very similar. We recommend the CIS Critical Security Controls for ease of understanding and a risk-based approach or the NIST CSF. The CISA CPG can also be used, which may be appropriate because of EPA’s reliance on them, although we do not find them as helpful as the CIS controls.
Once you have selected a framework, start a self-assessment against the controls in the framework. Take inventory of what you have done and what is not yet done. Include partial control implementations, describe plans to close gaps in your cybersecurity program, and what mitigating controls may exist to help reduce risk.
Begin documenting your cybersecurity program. One thing you will absolutely need to be compliant is written policies and procedures for your cybersecurity program. Natsar has several written documents available that can expedite your progress.
If you do not have expertise in house to perform this, reach out to the resources EPA has mentioned such as USDA, CISA, the Water ISAC, the MS-ISAC, or your state cybersecurity department. There are some online assessments available on the EPA page.
Make a spreadsheet of POA&Ms that is easy to understand. The POA&Ms should identify the deficiencies, assess the risk of those deficiencies, develop a mitigation plan, calculate the cost to mitigate, determine if budget money has been allocated, assign who handles the items, and note other related information. This shows assessors you are aware of shortfalls and have a plan to address them.
Develop a risk register to document IT, OT, and cyber risks for your PWS. Risks should include everything from equipment being end-of-life to a known single point of failure. Brief this risk register to executives regularly and continue to monitor the progress of risk mitigation and changes. Include cyber-risk in the risk discussions and triaging if your organization already has an enterprise risk management (ERM) program.
Get executives involved in the self-assessment activities and ensure they are aware of this new guidance and understand what affects it may have on operations.
Now that you understand your current cybersecurity state, your gaps, and your risk, begin creating your cyber strategy and plan. Document how you will achieve compliance and provide your customers with assurance that you are protected against cyberattacks.
Start implementing on your plan. Preferably by tackling the items that will reduce the most risk, but don’t let perfect be the enemy of good. Some protection is better than no protection and sometimes plans, budget or resources will only allow certain things to get done, even though they may not address the most critical issue and that is okay. Create a plan, socialize it with stakeholders, and execute!