Regulatory Alert: Public Water Systems
Estimated Read Time: 3 mins. 40 secs.
All public water agencies
Cybersecurity industry members
Sanitary Survey Requirements -- 40 CFR §142.12; 40 CFR §142.14; 40 CFR §142.15; 40 CFR §142.17
On Friday, March 3, 2023, the U.S. Environmental Protection Agency (USEPA) issued revised guidance to the states to include minimum federal cybersecurity requirements within the existing Sanitary Survey process. These state surveys are conducted on all drinking water and wastewater systems. For groundwater and agriculture agencies, including groundwater sustainability agencies, the regulations will impact any intertie, groundwater replenishment, or advanced treatment (water recycling) facilities that utilize industrial control or other systems in the production or delivery of water. The minimum federal guidance does not include all (NIST-standard) components necessary for a comprehensive critical infrastructure cybersecurity program. States may impose additional standards.
Minimum federal requirements include the following:
1. Reporting cybersecurity incidents pursuant to established protocols (the established protocols can be found here:
a. Federal Bureau of Investigations (FBI) for “threat response,” or
b. Cybersecurity Infrastructure Security Agency (CISA) for “asset response” (CISA incident reporting can be accessed here), or
c. USEPA for “centralized response.”
2. Assessments/Approaches which may evaluate cybersecurity practices. The states may adopt (or keep in place):
a. Agency self-assessment or required third-party assessments for the purpose of identifying cybersecurity gaps. Self-assessments must meet CISA/NIST or American Water Works Association requirements. Third-party assessment must meet USEAP Water Sector Cybersecurity Program requirements.
3. Evaluation of the Agency’s cybersecurity practices is required.
The state may choose to adopt alternative standards provided they meet the minimum requirements of the USEPA Water Sector Cybersecurity Program.
The revised regulations provide for non-compliance actions: “If the state determines that a cybersecurity deficiency identified during a sanitary survey is significant, then the state must use its authority to require the PWS to address the significant deficiency.” Enforcement actions and requirements are authorized under 40 CFR §142.16(b)(1)-(3) and (o)(1)-(2).
Background and Discussion
The 2021 attack to the Oldsmar, Florida water supply raised alarms about the vulnerability of the nation’s 151,000 public water systems. Local officials said the intruder used a remote access program to increase the sodium hydroxide — used to lower acidity, but a burn risk in high concentrations — to be added to the water by a factor of 100. A supervisor monitoring a plant console caught the activity and stopped it. In direct response the Department of Homeland Security, through the Transportation Security Administration (TSA), announced it would be promulgating rules similar to the Proposed Rule imposing cybersecurity requirements on pipeline owners/operators. At the time, those proposed rules were under heavy scrutiny by both cybersecurity providers and pipeline operators. Shortly thereafter, the President signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) as part of the Fiscal Year 2022 Omnibus Appropriations Act. CIRCIA was inserted into the appropriations legislation in the last hours of debate within the House of Representatives and agreed to by unanimous consent in the Senate.
CIRCIA gave the Agency up to 3 ½ years to finalize rules that will settle essential questions about the law’s applicability. For example, the rules will aim to clarify what kinds of “incidents,” and “entities” should be covered by CISA’s 72-hour reporting requirements—or 24-hour requirements in the case of ransomware.
In April 2022, USEPA asserted jurisdiction over cybersecurity requirements for public water systems and announced intentions to promulgate new cybersecurity regulations for water and wastewater systems. That same month, CISA issued an initial Circular/Fact Sheet concerning reporting requirements for cybersecurity incidents. As we reported to all public agency clients in April 2022 (From the Hill: Cybersecurity Update #5) “while these reporting requirements are currently voluntary, as indicated within the Circular/Fact Sheet, they are required under federal statute to become mandatory upon promulgation of regulations by CISA.” Owners of clean water (wastewater/water recycling), drinking water, inlet/outlet/weir structure, and pipeline/conveyance structures are broadly considered “critical infrastructure owners and operators” under the CISA guidance. The 2022 CISA guidance provided no specific guidance but indicates that the following incidents should be reported:
Unauthorized access to your system
Denial of Service (DOS) attacks that last more than 12 hours
Malicious code on your systems, including variants if known
Targeted and repeated scans against services on your systems
Repeated attempts to gain unauthorized access to your system
Email or mobile messages associated with phishing attempts or successes **
Ransomware against Critical Infrastructure, include variant and ransom details if known
In June 2022, USEPA issued guidance initiating voluntary cybersecurity reporting and planning measures similar to those contained in the current guidance. In 3rd Quarter 2023, USEPA announced it would not be promulgating new rules for public water agencies but instead would be amending the existing state survey requirements to address cybersecurity issues. The March 3, 2023, revised guidance to the states now makes cybersecurity requirements mandatory for all public water systems identified above.
The revised guidance letter to the states can be found here.
Resource, technical assistance, and evaluation tools can be found here.
USEPA’s cybersecurity training for public water systems can be found here.
40 CFR §142 can be found here.
While many states will adopt the federal minimum standards, water and wastewater agencies should monitor or check with state regulatory agencies to determine specific requirements. As some states have already imposed requirements on water agencies, those agencies should check for possible modifications created by the USEPA’s revised guidance. States will have up to six months to promulgate individual requirements that meet or exceed the federal minimum requirements. Agencies with near term/upcoming surveys by state agencies, should check with that agency to determine when cybersecurity requirements will be implemented and the time frame for implementation.
From the Hill is an industry snapshot for Capitol Core Group clients in select industries of interest. It is compiled from Capitol Core research and discussions as well as outside resources including Bloomberg Government, Roll Call, and other relevant sources. All data provided is public data but is compiled for ease of understanding.
This is the ninth in the series on the topic of cybersecurity since 2020 and is a regulatory overview for the water industry.
Download the document: