Over the course of his 21-year career at Genesee County Drain Commissioner Division of Water & Waste Services (GCDCWWS), CTO Jerod Asbridge has experienced the growing need for cybersecurity. But this experience isn’t unique to Asbridge and GCDCWWS. He joined our podcast, From the Plant Floor Up, to discuss how trends such as the convergence of IT and OT and expanding threat landscape have water facilities nation-wide and the federal government seeking cybersecurity solutions. In fact, this trend recently spurred the U.S. Environmental Protection Agency (EPA) to issue a memorandum addressing cybersecurity best practices at public water systems. In this post, we delve further into this mandate.
The EPA’s Action on Water Management Cybersecurity
As EPA Assistant Administrator for Water Radhika Fox explained, “Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyber-attacks have the potential to contaminate drinking water, which threatens public health.” That’s why the agency recently decided to release a set of actions and requirements for systems operators to meet. According to the memorandum, states will have to conduct audits of their cybersecurity practices, which will be integrated into their sanitary surveys. To assist with the process, the EPA has included information and options for completing cybersecurity reviews, and has even opened the guidance to feedback (which must be submitted by May 31, 2023).
According to CPO Magazine, this action came in response to the EPA’s finding that public water systems generally lack sufficient cybersecurity programs if they even include one at all. In total, the guidance, titled “Evaluating Cybersecurity During Public Water Sanitary Surveys,” will impact around 153,000 operators. In order to help those that lack the resources – a point that Asbridge touched on during his conversation with us – the EPA is offering forms of financial aid.
The Big Picture Around Water Management Cybersecurity
The spotlight on protecting public water systems from cyber vulnerabilities comes as the threat of attacks becomes more and more realistic. Sean Lyngaas reports for CNN that “The FBI and US Cybersecurity and Infrastructure Security Agency have warned about multiple ransomware attacks on the computer networks of water and wastewater facilities from California to Maine.” In turn, the Water Information Sharing and Analysis Center (WaterISAC), a cyber data organization serving the industry, has seen its membership expand across the country.
On an even larger scale, the water sector represents the cyber risk environment surrounding all of critical infrastructure, which is why there has been a full-fledged regulatory effort to enhance cyber defenses. Listen here to Asbridge’s interview on GCDCWWS’s partnership with DYNICS and how our ICS360.Defender is preparing them to both protect their facilities and fulfill the requirements coming down the policy pipeline.
Sources:
- “Cybersecurity assessments to be included in sanitary surveys” – Staff, Water Finance & Management
https://waterfm.com/cybersecurity-assessments-to-be-included-in-sanitary-surveys/ - “US Public Water Systems Subject to New Cybersecurity Requirements as EPA Publishes Mandate” – Scott Ikeda, CPO Magazine
https://www.cpomagazine.com/cyber-security/us-public-water-systems-subject-to-new-cybersecurity-requirements-as-epa-publishes-mandate/ - “US introduces new rules to protect water systems from hackers” – Sean Lyngaas, CNN
https://www.cnn.com/2023/03/03/politics/epa-water-cybersecurity-rules/index.html
