The Environmental Protection Agency issued a memorandum on Friday requiring states to analyze cyber defenses at public water systems during periodic audits.
(Bloomberg) — The Environmental Protection Agency issued a memorandum on Friday requiring states to analyze cyber defenses at public water systems during periodic audits.
The audits, called sanitary surveys, are already required by the EPA to detect harmful chemicals.
Water utilities are typically smaller than electric utilities and less likely to have a dedicated cybersecurity staff. As part of the new cyber requirement, the EPA said it is providing technical assistance to states and water systems.
“Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable,” said EPA Assistant Administrator Radhika Fox, in a statement. “Cyberattacks have the potential to contaminate drinking water, which threatens public health.”
The new initiative comes after efforts to improve digital defenses at water facilities through voluntary measures fell short and following a breach two years ago at a water treatment plant in Oldsmar, Florida. The hacker increased the level of sodium hydroxide, which is used to remove metals, by a factor of 100, a potentially dangerous increase. The attempt to increase the chemical was quickly reversed, and authorities at the time said there were other safety measures in place that would have prevented a catastrophe.
The announcement by the EPA echoes a tactic outlined by the White House in its newly released National Cyber Strategy to use existing rules and statues to require enhanced cybersecurity of critical infrastructure.
“I anticipate other variants of the same tactic – expanding an existing authority,” said Mike Hamilton, chief information security officer at the cybersecurity firm Critical Insight.
Mark Montgomery, a former executive director of the Cyberspace Solarium Commission, which made recommendations to Congress to improve US cyber defenses, criticized the memorandum, saying state sanitary inspectors don’t always have the knowledge to adequately preform a cyber audit.
“Unfortunately there are 55,000 utilities doing water,” Montgomery said. “It is the ultimate in checklist management, except done by someone who may not understand the words on the checklist.”
More stories like this are available on bloomberg.com
©2023 Bloomberg L.P.