On Friday, the Environmental Protection Agency issued a memorandum requiring states to examine cyber defenses at public water systems during routine audits.
The EPA already requires the audits, known as sanitary surveys, to detect harmful chemicals.
Water utilities are typically smaller than electric utilities and have fewer dedicated cybersecurity personnel. The EPA stated that as part of the new cyber requirement, it is providing technical assistance to states and water systems.
“Cyberattacks on critical infrastructure facilities, including drinking water systems, are on the rise, and public water systems are particularly vulnerable,” said EPA Assistant Administrator Radhika Fox in a statement. “Cyberattacks have the potential to contaminate drinking water, putting public health at risk.”
The new initiative comes after voluntary efforts to improve digital defenses at water facilities fell short, as well as a breach two years ago at a water treatment plant in Oldsmar, Florida. The hacker increased the level of sodium hydroxide, which is used to remove metals, by a factor of 100, which could be hazardous. The attempt to increase the chemical was quickly abandoned, and authorities at the time stated that other safety precautions were in place that would have prevented a disaster.
The EPA’s announcement echoes a strategy outlined by the White House in its recently released National Cyber Strategy, which calls for the use of existing rules and statutes to require enhanced cybersecurity of critical infrastructure.
“I anticipate other variants of the same tactic – expanding an existing authority,” said Mike Hamilton, chief information security officer at Critical Insight.
Former executive director of the Cyberspace Solarium Commission, which made recommendations to Congress to improve US cyber defenses, Mark Montgomery, criticized the memorandum, claiming that state sanitary inspectors do not always have the knowledge to perform an adequate cyber audit.
“Unfortunately there are 55,000 utilities doing water,” Montgomery said. “It’s the pinnacle of checklist management, except it’s performed by someone who might not understand the words on the checklist.”