Reviewing US EPA’s New Cybersecurity Evaluation Requirements in Sanitary Surveys Conducted at Public Water Systems
Previously, we discussed the Biden-Harris Administration’s emphasis on cybersecurity in the water utility sector. This month, the Administration continued that trend by issuing a final memorandum interpreting the regulatory requirements pertaining to public water system (PWS) sanitary surveys to require that states evaluate operational technology for cybersecurity when conducting the periodic sanitary surveys. A fact sheet issued by US EPA also provides a brief outline of the new memorandum’s requirements.
Under this US EPA interpretation of the regulatory requirements relating to PWS sanitary surveys, if a PWS uses an Industrial Control System or other operational technology as the equipment or operation of a required component in a sanitary survey, then a state must evaluate the adequacy of the cybersecurity relating to that operational technology. Further, states must use their authority to address any significant deficiencies identified in the same cybersecurity. According to the memorandum, a significant deficiency “should include the absence of a practice or control, or the presence of a vulnerability, that has a high risk of being exploited, either directly or indirectly, to compromise an operational technology used in the treatment or distribution of drinking water.”
To evaluate cybersecurity in PWS sanitary surveys, states have the following options:
Use self-assessment by the PWS or third-party assessment of cybersecurity practices;
Perform state evaluation of cybersecurity practices during the sanitary survey; or
Employ an alternative state program for water system cybersecurity.
Under the third option, states can use existing programs that conduct cybersecurity assessments or can develop new programs as an alternative to including cybersecurity in a PWS sanitary survey. US EPA also issued a guidance document, Evaluating Cybersecurity During Public Water System Sanitary Surveys, which provides more information on the new cybersecurity component of sanitary surveys and is intended for use by states and PWSs.
In addition to elaborating on the interpretive memorandum, US EPA’s guidance document includes information regarding technical support for evaluating cybersecurity in sanitary surveys. US EPA has established a program, the Cybersecurity Technical Assistance Program for the Water Sector, where PWSs can submit questions or request a consult with a subject matter expert. Additionally, the Agency’s Water Sector Cybersecurity Evaluation Program may be used to assess cybersecurity practices at PWSs. US EPA’s guidance document also outlines numerous technical and financial resources to assist in assessing cybersecurity, and it further provides a checklist to evaluate cybersecurity at PWSs. A vast array of other resources exist on US EPA’s webpage, EPA Cybersecurity for the Water Sector. This includes guidance for primacy agencies as well as PWSs.
Recently, on March 17, associations including American Water Works Association, Association of Metropolitan Water Agencies, National Association of Water Companies, and The United States Conference of Mayors (collectively, Associations), submitted a letter to US EPA Administrator Michael Regan and OMB Office of Information and Regulatory Affairs Administrator Richard Revesz opposing the new cybersecurity component in sanitary surveys. According to the Associations, the new information collection and record keeping requirements imposed violate the Paperwork Reduction Act and are not covered by US EPA’s current Information Collection Request for the PWS Supervision Program. The Associations requested that US EPA withdraw the new requirements until it fulfills its statutory obligations.
We encourage PWSs to review US EPA’s resources regarding cybersecurity as they navigate this new point of emphasis at US EPA and implementation at the state level.