Understand the key cyber security requirements of the new EPA Cyber Rule for water and see how to effectively build and maintain and written information security program to maintain compliance.
What are the EPA water cyber security requirements?
The U.S. Environmental Protection Agency (EPA) created a new memorandum in March 2023 to require public water systems (PWS) to adopt better cyber security. The assessment of cyber risks will now be included as part of “sanitary surveys”, which are existing periodic audits of water systems. The new EPA requirements generally align to key cyber security practices for protecting information and systems. To comply, each PWS must adopt a written information security program that addresses key cyber security practices. According to the EPA:
Cybersecurity represents a substantial and increasing threat to the water sector, given the relative ease of access to critical water treatment systems from the internet. Currently, many water systems do not implement cybersecurity practices. Efforts to improve cybersecurity through voluntary measures have yielded minimal progress to protect the nations vitally important drinking water systems.EPA Memorandum, March 2023
How is the EPA enforcing cyber security practices?
In order to increase cyber security, the EPA added a cyber security assessment to the traditional “Sanitary Survey” required of all Public Water Systems (PWS.) A sanitary survey is a periodic audit of a public water system’s capability to supply safe drinking water. (40 CFR § 141.2)
To help water companies with the new cyber assessment requirements, the EPA issued released a variety of tools and guidelines to help water companies assess and mitigate their cyber risks. In short, the EPA requires that organizations adopt a core set of defensible cyber security controls.
When does the EPA Cyber requirement go into effect?
The EPA will begin requiring cyber assessments as part of Sanitary Surveys starting March, 2023.
Who must comply with the EPA Cyber Rule?
The EPA Cyber Rule applies to any organization responsible for delivering safe drinking water to the public. These are called Public Water Systems (PWS) as defined by the EPA.
If the PWS uses an Industrial Control System or other “operational technology” as part of the
equipment or operation of any required component of the sanitary survey, then the state must
evaluate the adequacy of the cybersecurity of that operational technology for producing and
distributing safe drinking water.
The term “operational technology” means hardware and software that detects or causes a change through the direct monitoring or control of physical devices, processes, and events in the enterprise.Internet of Things Cybersecurity Improvement Act of 2020, 15 U.S.C. § 271(3)(6) (Public Law 116-207).
Therefor any information systems that are involved in the delivery of water can be included as part of the evaluation.
What are the penalties for non-compliance?
According to the EPA, if the state determines that a cybersecurity deficiency identified during a sanitary survey is “significant”, then the PWS to is required address the significant deficiency. At this point there are no fines or other financial penalties.
What does the EPA Cyber Rule Require?
In order to determine cyber program requirements, the EPA issues a Cyber Assessment tool. The tool addresses controls in these key areas:
1.0 Account Security – The EPA requires that user and privileges accounts are created and managed using secure practices such as strong passwords and robust access controls.
2.0 Device Security – The EPA requires that computing devices are secured throughout the lifecycle of the assets, including asset inventories and configuration management.
3.0 Data Security – The EPA requires that controls are in place to secure sensitive data, both at rest and during transit using proper encryption.
4.0 Governance and Training– The EPA requires management accountability for cyber security, including the appointment of key cyber security leadership and ongoing security awareness training for all employees.
5.0 Vulnerability Management – The EPA requires that vulnerabilities for key systems are monitored and remediated.
6.0 Supply Chain – The EPA requires that the PWS periodically evaluate the risk of its supply chain including key third-party vendors.
7.0 Response and Recovery – The EPA requires the PWS to have a documented response plan in place to properly detect and respond to security incidents.
8.0 Other – The EPA requires controls for Network Security, threat monitoring and email security.
Do we need to hire a cyber security expert to implement the EPA Cyber requirements?
The EPA requires a “qualified individual” to be responsible for the information security program. It does NOT require that this person be an outside expert. While it is always best to have professional cyber security advice, hiring a cyber security expert may not be an option for many organizations. Based on our experience, organizations that have solid technical expertise can implement the EPA cyber requirements, especially the technical elements such as access control, data storage and incident response. In some cases, you can enhance your team with a “Virtual CSO” that works part-time in your organization.
How can a PWS simplify EPA Cyber Compliance?
The EPA suggests several key steps to get started. The first step is to assign someone in your organization to be responsible for the cyber security project. That may or may not be the person who is ultimately responsible or “Qualified Individual” to be the cyber leader.
The next step is to
To dramatically reduce the cost and time of developing and implementing a cyber program, consider using an all-in-one tool like ComplianceShield. Using ComplianceShield your organization can build a complete cyber security baseline that addresses all of the EPA requirements in under 10 minutes. ComplianceShield includes the following:
- A complete library of information security policy templates that address all of the key EPA requirements, including account management, data security, device security, third-party risk, governance, training and incident response.
- EPA Cyber Control Baseline to quickly define, document and start tracking the program; (4.0)
- A Roles and Responsibilities library that documents the responsibilities of the appointed Information Security Leader
- Built-in templates and automation for third-party cyber risk management (5.0)
- Integrated security awareness and training courses to address the Governance and Training requirement. (4.0)
- Integrated policies and processes to support incident management and response. (7.0)
- Support for internal and external audits, including integration of evidence from vulnerability scanning and log data