Cybersecurity Assessments Included in Public Water Sanitary Surveys

Cybersecurity risks to public water systems are raising alarm across the country as the U.S. Environmental Protection Agency (USEPA) released new guidance stressing the need for States to assess risks to protect public drinking water. The USEPA says survey results and reports of recent cyberattacks show that many have not adopted basic cybersecurity best practices and are at risk of cyberattacks — whether from an individual, criminal collective, or a sophisticated State or State-sponsored actor. The USEPA guidance requires States to survey cybersecurity best practices at public water systems.

The guidance titled Evaluating Cybersecurity During Public Water Sanitary Surveys, says States must include cybersecurity when conducting periodic audits of water systems that are called sanitary surveys. The document also highlights different approaches for States to fulfill this responsibility. USEPA is requesting public comment on sections four through eight of the guidance and all Appendices until May 31, 2023. To submit comments, email USEPA plans to revise and update the guidance as appropriate based on public comments and new information.

USEPA has published several cybersecurity tools and resources for public water systems. In addition, resident experts at AE2S developed cybersecurity best practices for control systems that water utilities may find useful. Jason Schuler, AE2S Senior Information Technology (IT) Technician / Cybersecurity Specialist, and Mike Chorne, AE2S I&C Senior Specialist, provide information about the most common types of attacks and how you can keep your water system safe. If you have questions, please contact Jason Schuler about cybersecurity concerns for utilities.