EPA issues cybersecurity memo for water systems.
March 6, 2023 – Published on The Cyberwire
The US Environmental Protection Agency (EPA) on Friday issued a memorandum “stressing the need for states to assess cybersecurity risk at drinking water systems to protect our public drinking water.”
The memorandum requires that states include cybersecurity when they conduct audits of water systems. The agency said in a statement, “While some public water systems (PWSs) have taken important steps to improve their cybersecurity, a recent survey and reports of cyber-attacks show that many have not adopted basic cybersecurity best practices and are at risk of cyber-attacks — whether from an individual, criminal collective, or a sophisticated state or state-sponsored actor. This memorandum requires states to survey cyber security best practices at PWSs.”
CyberScoop notes criticism from industry experts and insiders who stated that the memorandum wasn’t developed with input from industry groups, and that sanitation surveyors lack the proficiency to evaluate cybersecurity threats.
Chris Warner, Senior OT Cyber Security Consultant at GuidePoint Security, commented:
“Securing water delivery systems is a challenge due to the use of OT called SCADA systems. Many are connected to IT systems to provide data used to efficiently manage the safety and reliability of drinking water, water treatment facilities and flood control. SCADA systems are designed to function in all environments and are built to last decades, with little focus on cybersecurity. The more OT and IT connect, the attack surface becomes larger for bad actors to make their way in and ransom, manipulate data or cause other destructive operations.
“Water utilities have numerous physical sites diverse in architecture and challenging nationwide. These organizations work diligently to ensure integrity and security for water treatment management for clean and safe drinking water distribution networks and real-time flood control system monitoring. These organizations have limited resources to protect from cyber-attacks.”
Read More HERE.