The Environmental Protection Agency (EPA) has announced new cybersecurity regulations for public drinking water systems in the United States. The move comes in response to growing concerns over the vulnerability of critical infrastructure systems to cyberattacks, which can have serious implications for public health and safety.
The EPA’s new regulations will require states to assess the cybersecurity practices of public water systems as part of their periodic audits. This includes conducting regular risk assessments to identify vulnerabilities in the water systems, as well as implementing cybersecurity best practices like network segmentation, user access controls, incident response planning, and employee training.
In recent years, there has been a rising threat of cyberattacks by criminal actors and rogue nation-states targeting drinking water facilities across the US. These attacks have been shown to have serious consequences, including the shutdown of critical treatment processes and the disabling of communication channels used to monitor and control distribution system infrastructure.
One of the most notorious incidents in recent years occurred in Oldsmar, Florida, where a hacker attempted to poison a drinking water plant by taking remote control of the facility’s supervisory control and data acquisition (SCADA) systems. The plant was operating on outdated Windows 7 software, highlighting the need for enhanced cybersecurity measures in critical infrastructure systems.
The EPA’s memorandum requires states to include cybersecurity as part of their sanitary surveys, which are periodic audits of water systems. The agency also aims to provide technical assistance to help water utilities improve their cybersecurity practices and mitigate any identified vulnerabilities.
The regulations are part of the Biden administration’s broader cybersecurity strategy, which aims to enhance the security of critical infrastructure systems against cyber threats. In a recent teleconference with reporters, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies, highlighted the importance of cybersecurity regulations for critical infrastructure systems, stating that “a cyberattack can cause as much, if not more, damage than a storm or physical threat.”
The EPA’s cybersecurity oversight initiative for public drinking water systems marks a significant step towards ensuring the safety and security of the US’s critical infrastructure systems. By implementing best practices and investing in cybersecurity, we can better protect our infrastructure systems and ensure the safety and security of the public.
However, it is important to note that the implementation of cybersecurity regulations is only one part of a broader effort to enhance the security of critical infrastructure systems. The federal government and private sector must work together to enhance cybersecurity research and development, as well as improve collaboration and information sharing between government agencies and private entities.
Furthermore, there is a need for greater investment in cybersecurity education and training for the workforce, as well as greater public awareness and education about the importance of cybersecurity for critical infrastructure systems. By working together, we can better protect our critical infrastructure systems and ensure the safety and security of the public.
In conclusion, the EPA’s new cybersecurity oversight initiative for public drinking water systems is an important step towards enhancing the security of critical infrastructure systems against cyber threats. The implementation of best practices and investment in cybersecurity is essential to protect our infrastructure systems and ensure the safety and security of the public. However, there is a need for broader collaboration and investment in cybersecurity education and training to ensure that we are prepared to face evolving cyber threats in the future.