Mar 3, 2023 - Technology

EPA issues new water cyber requirements

Illustration of a hand made of water coming out of a faucet.

Illustration: Brendan Lynch/Axios

The Environmental Protection Agency issued a memo to state governments today requiring local water systems to meet basic cybersecurity standards.

Why it matters: High-profile cyberattacks on water systems in Florida and California in recent years have showcased how insecure the nation's cash-strapped water utilities are in their digital systems.

The big picture: The EPA's memo is the first set of cybersecurity requirements specifically targeting the water sector, and it fits into the Biden administration's effort to establish cybersecurity requirements for all critical infrastructure sectors.

What they're saying: "Based on the incidents we've seen, we concluded that the water sector had not achieved adequate product progress [on cybersecurity], certainly not commensurate with the importance of the sector to the nation and the nation's security," David Travers, director of the EPA's Water Security Division, told reporters during a press briefing.

Details: The EPA memo establishes a new interpretation of the Safe Drinking Water Act that requires state governments to include questions about cybersecurity in periodic, already required sanitary surveys.

  • New questions include those about the water system's password practices, encryption uses and internal cybersecurity team setup.
  • The sanitary surveys are conducted every three to five years by local sanitation experts and have historically focused on physical security issues.
  • The EPA had to get creative to establish cybersecurity requirements, given its own lack of resources and minimal authorities to regulate water cybersecurity issues.

Between the lines: State regulators will have "quite a bit of flexibility" to determine how best to incorporate cyber into their surveys and how they'll meet these basic requirements, Radhika Fox, assistant administrator for the EPA's Office of Water, told reporters.

  • The EPA is accepting comments on the guidance until May 31, and it will update the document later as needed based on those submissions.

Yes, but: Some industry experts have already criticized the EPA's highly anticipated memo, warning that local sanitation inspectors lack the expertise needed to properly assess a water system's cybersecurity program.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper