EPA to make states evaluate public water systems’ cybersecurity

The Environmental Protection Agency (EPA) will require states to evaluate cybersecurity as part of their checks on public drinking water systems. 

The agency said Friday that many such systems haven’t taken basic steps to ensure their security, even as cyberattacks are becoming more frequent. 

“Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable,” EPA Assistant Administrator Radhika Fox said in a statement. “EPA is taking action to protect our public water systems by issuing this memorandum requiring states to audit the cybersecurity practices of local water systems.”

David Travers, the director of the EPA’s Water Infrastructure and Cyber Resilience Division, told reporters Thursday that the policy was in response to attacks such as one in Kansas where an ex-employee still had login access after being fired and was able to interrupt water treatment remotely. 

“That is an example of a very basic access control measure that was not taken,” Travers said, adding that there have been other instances where basic practices like software updates that include security upgrade haven’t happened. 

States will have a few options for getting the cybersecurity checks done, including allowing utilities to do the assessment themselves or having the state do the evaluation.