EPA Publishes Drinking Water Cybersecurity Memo
On Friday, the Environmental Protection Agency (EPA) published their long-awaited memorandum on cybersecurity in the public water sector (PWS). The memo directs state water authorities to undertake cybersecurity reviews as part of their periodic ‘sanitary surveys’ required under 40 CFR 142.16(b)(3). For every State, except Wyoming, State agencies have ‘primacy’ over the enforcement of Federal and State public drinking water rules, and are thus responsible to ensure that the ‘sanitary surveys’ are conducted.
Authority
There have already been complaints (see here for instance) about the EPA’s presumed authority to include this requirement under the PWS regulations. The current EPA regulation defines a ‘sanitary survey’:
“For the purposes of this paragraph, “sanitary survey” means an onsite review of the water source (identifying sources of contamination using results of source water assessments where available), facilities, equipment, operation, maintenance, and monitoring compliance of a public water system to evaluate the adequacy of the system, its sources and operations and the distribution of safe drinking water.” [emphasis added]
It does not seem to be too much of a regulatory stretch to think that cybersecurity issues related to the operational technology at a public water system would play an important role in ensuring the ‘distribution of safe drinking water’. While the EPA could have certainly conducted a rulemaking to specifically include the cybersecurity requirements in this memo in the §142.16(b)(3) requirements, the agency chose to adjust their interpretation as a way of avoiding the publish and comment process such a change would require.
For a more complete explanation of the EPA’s rationale for including cybersecurity evaluations in the sanitary survey, see the discussion under “B. What action is EPA taking?” on pages 7 and 8 of the Memo.l
There will almost certainly be court challenges to this interpretation. Additionally, I would suspect that portions of the Republican caucus in the House would consider this to be a regulatory overreach upon the part of the EPA, so we might see a congressional challenge to this new guidance as well.
Sanitary Survey
The new requirements for sanitary survey’s includes (pg 3):
If the PWS uses an ICS or other operational technology as part of the equipment or operation of any required component of the sanitary survey, then the state must evaluate the adequacy of the cybersecurity of that operational technology for producing and distributing safe drinking water.
If the state determines that a cybersecurity deficiency identified during a sanitary survey is significant, then the state must use its authority to require the PWS to address the significant deficiency.
The term ‘significant deficiency’ is already defined in the §142.16(o)(2)(iv). That paragraph notes that:
“Significant deficiencies include, but are not limited to, defects in design, operation, or maintenance, or a failure or malfunction of the sources, treatment, storage, or distribution system that the State determines to be causing, or have potential for causing, the introduction of contamination into the water delivered to consumers.”
The EPA provides four options for State primacy agencies to conduct the newly required cybersecurity portion of the sanitary surveys (pgs 3-5)
Self-assessment of cybersecurity practices,
Third-party Assessment of cybersecurity practices,
State evaluation of cybersecurity practices during the sanitary survey, and
Alternative state program for water system cybersecurity.
The EPA would require that facilities using the first two options do so before the Primacy Agency conducts its sanitary survey, and the report of those assessments be provided to the Agency when the sanitary survey is conducted.
Supporting Information
The EPA has not yet updated their ‘Sanitary Surveys’ web page to reflect the inclusion of cybersecurity evaluations. Instead, they published a new web page; ‘EPA Cybersecurity for the Water Sector’. This page includes the resources that the EPA discusses in their memo and a number of other resources. There are resources in the following categories:
Report Cyber Incidents,
Assessing Cybersecurity in Sanitary Surveys,
Resources to Conduct Cybersecurity Assessments,
Technical Assistance,
Training,
Cybersecurity 101 Webinar,
Additional Cybersecurity Resources and Tools,
Funding Options,
Alerts - National Cyber Awareness System,
Other US Government Cybersecurity Resources, and
Cybersecurity Reports to Congress
Cybersecurity Reporting
The EPA Cybersecurity for the Water Sector page provides links to a Cyber Incident Reporting Fact Sheet from the EPA and a link for reporting cybersecurity incidents to CISA. There is no discussion of a time limit for reporting a cybersecurity incident. The Fact Sheet is interesting in that it provides three different reporting options:
Report to the FBI for threat response,
Report to CISA for asset response, or
Contact EPA for centralized response
The Fact Sheet also provides guidance on when to report to the federal government. Interestingly, that list does not include any water facility specific incidents. I would have expected to see an additional bullet point that read something like:
• Any impact to water treatment quality or interruption of delivery of treated drinking water.
Guidance Document
The EPA has also published an guidance document; ‘Evaluating Cybersecurity During Public Water System Sanitary Surveys’. This document duplicates much of the information provided in the memorandum, but provides additional information. Appendix A to the document provides a ‘Cybersecurity Checklist for Public Water System Sanitary Surveys’. Appendix B provides a more detailed description (usually with links to even more detailed discussions) for the questions provided in the Appendix A checklist. For the most part, the checklist is not really water system specific, almost any operational technology owner could use this checklist to evaluate their cybersecurity posture.
The EPA is soliciting public comments on the guidance document, specifically sections 4 thru 8 and Appendix A and Appendix B. Comments should be submitted via email to wicrd-outreach@epa.gov. They should be submitted by May 31st, 2023. It will be interesting to see what comments cybersecurity professionals have on the Checklist.