EPA Unveils Action Plan to Add Cyber Reviews to Sanitary Surveys

Last week, the EPA formally released its long-anticipated interpretive memorandum requiring states to evaluate the cybersecurity of operational technology used by a public water system (PWS) as part of periodic sanitary surveys or through other state programs.

Notably, the memo offers three flexible methods states may choose to evaluate public water system cybersecurity:

• Requiring public water systems to self-assess their cybersecurity practices using an approved government or private-sector method, which would then be reviewed and evaluated by the state during the sanitary survey;
• Having states themselves evaluate cybersecurity practices directly during a sanitary survey, consistent with how states evaluate other components of public water system operations; or
• Utilizing an alternative state cybersecurity program that is applicable to critical infrastructure and is at least as stringent as the sanitary survey.

EPA emphasizes that “the timeline for implementation [of the memo] is now,” because it represents a legal reinterpretation of existing authorities. EPA also explained that it will be up to each state to determine whether a water system’s cybersecurity deficiency identified in a sanitary survey constitutes a “significant deficiency” under the Safe Drinking Water Act.

It is also important to note that EPA is providing no-cost technical assistance, training, and resources to assist states and water systems as they work towards implementation of a robust cybersecurity program. Trainings begin next week (March 7 and March 9) with separate trainings for public water systems and primacy agencies. Additionally, WaterISAC intends to hold a joint webinar with EPA during the next month – more details to follow soon.

Likewise, EPA’s guidance “Evaluating Cybersecurity During Public Water Sanitary Surveys” is intended to assist states with building cybersecurity into sanitary surveys. It includes key information on options for evaluating and improving the cybersecurity of operational technology used for safe drinking water. 

Along with the memorandum, EPA also released a guidance document explaining various approaches states may utilize to incorporate cybersecurity reviews into public water system sanitary surveys. EPA will be accepting public comment on the guidance document until May 1, 2023.

EPA released the memorandum just days after the Biden Administration unveiled a new five-pillar National Cybersecurity Strategy that aims to place more responsibilities on the owners and operators of critical systems and their technology providers, and to incentivize private-sector actions “to make cyberspace more resilient and defensible over the long term.” The strategy further notes that EPA is responsible for overseeing cybersecurity requirements for water systems, and that “a collaborative process between industry and regulators will produce regulatory requirements that are operationally and commercially viable.” Read more at the EPA.