Understand the key cyber security requirements of the Safe Drinking Water Act (SDWA) and see how to effectively build and maintain and written information security program to maintain compliance.
NOTE: When this article was originally published, Cyber Audit were going to be part of the Sanitary Surveys. That requirement was removed. But the Cyber Security remains a key focus as attacks increase.
What are the EPA water cyber security requirements?
The U.S. Environmental Protection Agency (EPA) created a new memorandum in March 2023 to require public water systems (PWS) to adopt better cyber security. The assessment of cyber risks will now be included as part of “sanitary surveys”, which are existing periodic audits of water systems. The new EPA requirements generally align to key cyber security practices for protecting information and systems. To comply, each PWS must adopt a written information security program that addresses key cyber security practices. According to the EPA:
Cybersecurity represents a substantial and increasing threat to the water sector, given the relative ease of access to critical water treatment systems from the internet. Currently, many water systems do not implement cybersecurity practices. Efforts to improve cybersecurity through voluntary measures have yielded minimal progress to protect the nations vitally important drinking water systems.
EPA Memorandum, March 2023
Increased Attacks on Water Infrastructure
Several factors are converging to increase focus on cyber security. International threat actors are increasing their focus on water utilities. In the most high profile recent event, American Water Works was hacked. EPA inspections have identified an alarming number of vulnerabilities in water systems. Over 70% of the systems inspected by EPA since September 2023 are in violation of basic SDWA Section 1433 requirements. Enforcement actions have also increased. EPA has taken over 100 enforcement actions nationally against CWSs for violations of Section 1433 since 2020, which was the first compliance deadline.
How is the EPA enforcing cyber security practices?
The primary regulatory vehicle for cyber is the Safe Drinking Water Act (SDWA). Section 1433 of the SDWA requires all CWSs serving more than 3,300 people to conduct Risk and Resilience Assessments (RRAs), develop Emergency Response Plans (ERPs) and certify their completion to EPA. This went into effect in 2020. Since then there have been numerous alerts and updates.
To help water companies with the new cyber assessment requirements, the EPA issued released a variety of tools and guidelines to help water companies assess and mitigate their cyber risks. In short, the EPA requires that organizations adopt a core set of defensible cyber security controls.
When does the EPA Cyber requirement go into effect?
The cyber requirements of the Safe Drinking Water Act (SDWA) went into effect in 2020. Since then there have been numerous alerts and updates. (Note: Previously EPA was requiring cyber assessments as part of Sanitary Surveys starting March, 2023. That requirement was removed.)
Who must comply with the EPA Cyber Rule?
The EPA Cyber Rule applies to any organization responsible for delivering safe drinking water to the public. These are called Public Water Systems (PWS) as defined by the EPA.
If the PWS uses an Industrial Control System or other “operational technology” as part of the
equipment or operation of any required component of the sanitary survey, then the state must
evaluate the adequacy of the cybersecurity of that operational technology for producing and
distributing safe drinking water.
The term “operational technology” means hardware and software that detects or causes a change through the direct monitoring or control of physical devices, processes, and events in the enterprise.
Internet of Things Cybersecurity Improvement Act of 2020, 15 U.S.C. § 271(3)(6) (Public Law 116-207).
Therefor any information systems that are involved in the delivery of water can be included as part of the evaluation.
What are the penalties for non-compliance?
According to the EPA, if the state determines that a cybersecurity deficiency identified during a sanitary survey is “significant”, then the PWS to is required address the significant deficiency. At this point there are no fines or other financial penalties.
What does the EPA Cyber Rule Require?
In order to determine cyber program requirements, the EPA issues a Cyber Assessment tool. The tool addresses controls in these key areas:
1.0 Account Security – The EPA requires that user and privileges accounts are created and managed using secure practices such as strong passwords and robust access controls.
2.0 Device Security – The EPA requires that computing devices are secured throughout the lifecycle of the assets, including asset inventories and configuration management.
3.0 Data Security – The EPA requires that controls are in place to secure sensitive data, both at rest and during transit using proper encryption.
4.0 Governance and Training– The EPA requires management accountability for cyber security, including the appointment of key cyber security leadership and ongoing security awareness training for all employees.
5.0 Vulnerability Management – The EPA requires that vulnerabilities for key systems are monitored and remediated.
6.0 Supply Chain – The EPA requires that the PWS periodically evaluate the risk of its supply chain including key third-party vendors.
7.0 Response and Recovery – The EPA requires the PWS to have a documented response plan in place to properly detect and respond to security incidents.
8.0 Other – The EPA requires controls for Network Security, threat monitoring and email security.
Do we need to hire a cyber security expert to implement the EPA Cyber requirements?
The EPA requires a “qualified individual” to be responsible for the information security program. It does NOT require that this person be an outside expert. While it is always best to have professional cyber security advice, hiring a cyber security expert may not be an option for many organizations. Based on our experience, organizations that have solid technical expertise can implement the EPA cyber requirements, especially the technical elements such as access control, data storage and incident response. In some cases, you can enhance your team with a “Virtual CSO” that works part-time in your organization.
How can a PWS simplify EPA Cyber Compliance?
The EPA suggests several key steps to get started. The first step is to assign someone in your organization to be responsible for the cyber security project. That may or may not be the person who is ultimately responsible or “Qualified Individual” to be the cyber leader.
The next step is to
To dramatically reduce the cost and time of developing and implementing a cyber program, consider using an all-in-one tool like ComplianceShield. Using ComplianceShield your organization can build a complete cyber security baseline that addresses all of the EPA requirements in under 10 minutes. ComplianceShield includes the following:
- A complete library of information security policy templates that address all of the key EPA requirements, including account management, data security, device security, third-party risk, governance, training and incident response.
- EPA Cyber Control Baseline to quickly define, document and start tracking the program; (4.0)
- A Roles and Responsibilities library that documents the responsibilities of the appointed Information Security Leader
- Built-in templates and automation for third-party cyber risk management (5.0)
- Integrated security awareness and training courses to address the Governance and Training requirement. (4.0)
- Integrated policies and processes to support incident management and response. (7.0)
- Support for internal and external audits, including integration of evidence from vulnerability scanning and log data
To learn more contact us or register for a live demo. It takes only 15 minutes.