EPA issues cybersecurity memo for water systems.
N2K logoMar 6, 2023

Memorandum would require cybersecurity to be included in water system audits.

EPA issues cybersecurity memo for water systems.

The US Environmental Protection Agency (EPA) on Friday issued a memorandum “stressing the need for states to assess cybersecurity risk at drinking water systems to protect our public drinking water.”

Memo requires water systems to include cybersecurity in their safety audits.

The memorandum requires that states include cybersecurity when they conduct audits of water systems. The agency said in a statement, “While some public water systems (PWSs) have taken important steps to improve their cybersecurity, a recent survey and reports of cyber-attacks show that many have not adopted basic cybersecurity best practices and are at risk of cyber-attacks — whether from an individual, criminal collective, or a sophisticated state or state-sponsored actor. This memorandum requires states to survey cyber security best practices at PWSs.”

CyberScoop notes criticism from industry experts and insiders who stated that the memorandum wasn’t developed with input from industry groups, and that sanitation surveyors lack the proficiency to evaluate cybersecurity threats.

Shayla Powell, a public affairs specialist at the EPA, told CyberScoop in an email, “EPA and the Association of State Drinking Water Administrators convened in 2022 a workgroup of representatives from state and tribal drinking water agencies to discuss evaluating cybersecurity in PWS sanitary surveys. Over the course of four months, EPA engaged with the workgroup on their issues of concern and solicited comments on potential approaches to address them.”

Industry comments on water cybersecurity.

Chris Grove, Director of Cybersecurity Strategy at ICS/OT cybersecurity firm Nozomi Networks, stated:

“Water and wastewater providers are in a tough position of balancing between, in many cases, municipal budget and safety. Even though safe drinking water is crucial to our society, there is less cybersecurity regulation there, than for cereal or pharmaceuticals. The new EPA self-assessment provides a high-level, non-prescriptive approach to ensuring the water providers are paying attention, in some form or fashion, to their cybersecurity. Whether the provider follows detailed common standards like ISA 62443, or higher level best practices like the CISA Cyber Resilience Review, organizations will be held responsible for ensuring they are completing those processes and taking action, while at the same time affording the flexibility needed for the myriad of various water provider architectures, infrastructures, and unique challenges.”

Mike Hamilton, former CISO of the City of Seattle, former Policy Adviser to WA State, former Vice-Chair of the DHS State, Local, Tribal, and Territorial Government Coordinating Council (SLTTGCC) and CISO of Critical Insight, offered the following observations:

“It’s clear that this guidance is using an existing authority of the EPA as the sector-specific agency for water and waste. Because the EPA has historically only regulated water purity, they’re using the existing sanitary survey audits to subtly expand their purview. To the extent that cyber exposures for operational technologies can be compromised to affect water safety this makes sense.

“It’s a bit disheartening that the third-party assessment resources seem limited to DHS, EPA, and States, making this activity hard to scale across the breadth of water utilities across the country. Allowing for private-sector cybersecurity companies to perform assessments would accelerate the collection of information and the development of corrective action plans.

“As this plan seems to be in direct response to the National Cybersecurity Strategy I anticipate other variants of the same tactic – expanding an existing authority. For example, the Coast Guard, as the sector-specific agency for maritime ports, will likely require cyber assessments as part of the biannual Facility Security Plan (FSP) that has always been required.”

Chris Warner, Senior OT Cyber Security Consultant at GuidePoint Security, commented:

“Securing water delivery systems is a challenge due to the use of OT called SCADA systems. Many are connected to IT systems to provide data used to efficiently manage the safety and reliability of drinking water, water treatment facilities and flood control. SCADA systems are designed to function in all environments and are built to last decades, with little focus on cybersecurity. The more OT and IT connect, the attack surface becomes larger for bad actors to make their way in and ransom, manipulate data or cause other destructive operations. 

“Water utilities have numerous physical sites diverse in architecture and challenging nationwide. These organizations work diligently to ensure integrity and security for water treatment management for clean and safe drinking water distribution networks and real-time flood control system monitoring. These organizations have limited resources to protect from cyber-attacks. 

“The EPA and the American Water Works Association (AWWA) mandate over 180 standards of practice for water utilities, and many U.S. states have their regulations. “Some states are encouraging water utilities to align to the NIST CSF. The NIST CSF mainly focuses on business, IT, and a limited amount of OT.”

(Added 3:30 PM ET, March 6th, 2023. Brendan Peter, Vice President of Global Government Affairs at SecurityScorecard, approves of the memo, and points out that the risk is not a purely theoretical one: cyber incidents have affected water systems in the recent past:

"The memo published by the EPA that informs States of new requirements for the cybersecurity of drinking water systems is a step in the right direction when it comes to implementing controls to protect United States' critical infrastructure.

"There have been incidents whereby drinking water systems have been compromised in the past, such as a breach of a Florida drinking water facility in 2021 whereby attackers gained remote access to a system and tried to increase the levels of sodium hydroxide in the water supply. Thankfully, in that case, a vigilant employee noticed anomalous activity and was able to mitigate it before anyone got hurt. The incident in Florida was one of the first times whereby a cyberintrusion of a water treatment facility with an attempt to cause physical damage was documented and reported upon, however, it is highly likely that similar vulnerable conditions that led to the breach still exist in water treatment facilities all over the country.

"The release from the EPA hopes to implement policies that will mitigate the risks of similar attacks. However, like any policy-based solution is up to the individual companies within the industry to implement and adhere to them in order for it to work.")

(Added, 4:15 PM ET, March 6th, 2023. Pete Lund, VP of Products – OT Security at OPSWAT, thinks the memo valuable, and notes that one challenge the sector faces is its distributed nature--water is run by local authorities, many of whom are strapped for security resources:

“The timely EPA memo follows the administration’s ongoing effort to improve the security of our nation’s critical infrastructure. Like other critical industries, Water and Wastewater Systems deal with vulnerabilities within both their IT and OT systems – and an attack on either could be devastating to public safety and business operations. If, for example, ransomware hit a facility’s OT such as the treatment and distribution systems, surrounding communities could feel the debilitating impacts - whether that’s loss of access to clean and safe water or cascading effects into other critical services such as hospitals or firefighting. While the attack was mitigated, the biggest wake-up call was perhaps the Oldsmar incident in 2021 when a threat actor infiltrated the network through hacked remote access software and attempted to increase sodium hydroxide levels in the water supply to poison residents. 

"The challenge with improving security within Water and Wastewater Systems is that they are typically smaller municipalities with stretched resources, resulting in lower cybersecurity maturity than other industries. Compliance with industry requirements is a good first step, but so is starting with the basics. These organizations can start by assessing their people, process and what the impacts to operations would be if a cyberattack hit. Look at threat vectors and implement solutions that reduce the likelihood of an attack having an impact on those operations. Steps like securing remote access and removable media can greatly help increase resiliency.”

Jan Lovmand, CTO of BullWall, also refers to the 2021 incident in Florida, and points out that physical municipal infrastructure also forms part of the attack surface:

“Often forgotten in the battle to prevent cyber attacks, physical municipal infrastructure such as public water supplies can provide an open attack surface for hackers, as evidenced by 2021 attack on a Florida water supply. The EPA Assistant Administrator, Radhika Fox, noted that a threat to public water systems is also a threat to public health, as cyber-attacks have the potential to contaminate drinking water and said that it is essential to address the cybersecurity of these systems as a top priority to protect public health.

“The cyber risk to public water systems is not just due to their connectivity to government networks, as it could be just as easy to shut down a city by controlling their water supply as any other aspect of their infrastructure. Municipalities that do not prioritize cybersecurity and do not have robust protections in place are at higher risk of falling victim to these types of attacks.

“The White House is proposing that states report on cyber threats noted in their audit reports of public water systems and the EPA is offering guidance to states to assist them in building out their water supply cybersecurity programs. However, given the critical importance of these systems to public health and safety, municipalities had best prioritize cybersecurity investments now, to prevent cyber-attacks and safeguard their water supplies.”

David Brunsdon, Threat Intelligence, Security Engineer at Hyas, sees the combination of automation and human monitoring as another contribution to water systems' attack surface. “Water systems utilize a significant amount of automation and are monitored simultaneously by the control systems, and human operators," he said. "Like in Florida, 2021, threat actors could misuse the system to introduce chemicals to the water. A more sophisticated attack would be covert and would obfuscate the changes from both the plant operators and automated monitoring systems. Municipal governments and water treatment plants are vulnerable to well-funded nation-state actors, and so protecting water systems should be considered a national security concern.”)