News Feature | March 14, 2023

As Hackers Loom, U.S. EPA Requires Water Systems To Evaluate Cyber Defenses

Peter Chawaga - editor

By Peter Chawaga


Months after a notable wave of computer system hacks caught drinking water and wastewater systems around the country off guard, the U.S. EPA is making the protection of these systems a priority.

“The Environmental Protection Agency (EPA) will require states to evaluate cybersecurity as part of their checks on public drinking water systems,” The Hill reported. “The agency said … that many such systems haven’t taken basic steps to ensure their security, even as cyberattacks are becoming more frequent.”

In 2021, hackers got close to poisoning drinking water in Florida, California, and Maryland, and targeted wastewater treatment facilities in Maine and California as well. With the threat of these attacks growing — including the potential of a state-sponsored cyberattack from Russia — and surveys indicating many water systems are underprepared, the Biden administration has been seeking ways to bolster public water systems.

The cybersecurity evaluations will be enforced as part of ongoing sanitary surveys conducted for public water systems, and the EPA has outlined requirements if these systems are found to have insufficient protection in place.

“If a public water system uses operational technology (OT) like an industrial control system (ICS) in its operations, then as part of the larger sanitary survey, the evaluation also must include the cyber security protections of the OT, such as practices and controls,” according to The Register. “If ‘significant deficiencies’ in the cyber security protections are found — such as design or operational defects or malfunctioning or failing water treatment, storage, or distributions systems — the state must ensure the [water system] addresses it.”

The EPA has also left some room for water systems operators to conduct self-assessments or for third parties to evaluate them, rather than require that these assessments be conducted at the state level in every instance. And it is also offering some assistance as public water systems attempt to catch up with the growing threat of cyberattacks.

“The agency has also offered to provide technical assistance and training, as well as financial help through such programs as the Drinking Water State Revolving Fund and the Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Program,” per The Register.

To read more about how drinking water and wastewater treatment operations bolster their online security, visit Water Online’s Resiliency Solutions Center.