The EPA is taking action on Cybersecurity for Public Water Systems, is your IT up to the task?

As the world becomes increasingly reliant on technology, the importance of cybersecurity grows. The U.S. Environmental Protection Agency (EPA) is taking action on cybersecurity for public water systems, making it essential for IT departments to ensure their infrastructure and systems are secure. Cybersecurity is a significant concern for all businesses, but especially for those in the public water services industry, which requires a proactive approach to addressing potential threats.

Who started the process?

On March 3, 2023, the EPA released a memorandum highlighting the growing risks of cyber-attacks against critical infrastructure facilities, including drinking water systems. These attacks have the potential to contaminate drinking water and threaten public health. As the water sector continues its digitization efforts, cybersecurity risks increase. The EPA is urging water utilities to adopt a risk management approach to cybersecurity, which includes identifying, assessing, and addressing risks.

“Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyber-attacks have the potential to contaminate drinking water, which threatens public health,” said EPA Assistant Administrator for Water Radhika Fox.

Why are they doing this?

Protecting water systems from cybersecurity threats is crucial for the continued delivery of safe and reliable water services. The increased use of digitization, automation, and industrial control systems (ICS) in the water sector has made water systems more vulnerable to cyberattacks. The EPA is working with water utilities, other federal agencies, state and local governments, and the private sector to promote cybersecurity awareness and share information about threats and vulnerabilities. They believe that water utilities need to improve their cyber defenses, educate employees about cybersecurity risks, and plan for response to cyber-attacks. The EPA’s actions will help protect water supplies from cyber-attacks and ensure that our drinking water remains safe.

When is the deadline for compliance?

The EPA has set a compliance deadline of May 31, 2023, for public water systems to meet new cybersecurity requirements. These requirements include conducting risk assessments, implementing security controls, and developing incident response plans. Water systems that fail to comply by the deadline will face enforcement action.

What areas are they focusing on?

The EPA is focusing on various aspects of cybersecurity, including password structuring, multi-factor authentication, patch management, and equipment age. Public water systems are large and complex, making them difficult to secure. All it takes is one patch not installed or an old firmware to open a door for cyber attacks.

How can we get assistance?

If your IT department needs assistance in ensuring compliance with the EPA’s new guidelines, SandStorm IT is available to help assist you in meeting the new EPA requirements. SandStorm IT can assess your current cybersecurity posture, identify gaps, and implement corrective measures. SandStorm IT also offers cybersecurity training to improve employee knowledge and resilience against social engineering. Contact us at 901-475-0275 to learn more about their services and how they can help ensure compliance.