vvEPA FACT SHEET Addressing Cybersecurity Resilience with Sanitary Surveys Cyber-attacks against water systems are increasing. These attacks have the potential to disable or contaminate the delivery of drinking water to consumers. While some public water systems (PWSs) have taken important steps to improve their cybersecurity, many PWSs have failed to adopt basic cybersecurity best practices and consequently are at risk of being victimized by a cyber-attack. EPA is committed to partnering with the states to ensure that all PWSs adopt cybersecurity practices that are essential to protecting public health. What must primacy agencies do during a Sanitary Survey? 1. If the PWS uses an Industrial Control System or other operational technology as part of the equipment or operation of any required component of the sanitary survey, then the state must evaluate the adequacy of the cybersecurity of that operational technology for producing and distributing safe drinking water. 2. If the state determines that a cybersecurity deficiency identified during a sanitary survey is significant, then the state must use its authority to require the PWS to address the significant deficiency. Available Options for Primacy Agencies to Include Cybersecurity in Sanitary Surveys Option 1: PWSs conduct self-assessment or third-party assessment of cybersecurity practices Option l.a. Self-Assessment: PWSs could conduct a state-approved self-assessment using a government or private-sector method, such as those listed below. Option l.b. Third-Party Assessment: A PWS could undergo an assessment of cybersecurity practices by an outside party, such as those listed below, or another government or private sector technical assistance provider approved by the state. Under Options l.a and l.b, the PWS cybersecurity assessment should be completed prior to the sanitary survey, made available to state sanitary surveyors, and updated to reflect changes in cybersecurity practices and/or operational technology prior to subsequent sanitary surveys. Self-Assessment Resources: • EPA: Guidance on Evaluating Cybersecurity in Public Water System Sanitary Surveys • CISA: Cyber Resilience Review, Cross-Sector Cybersecurity Performance Goals • NIST: AXIO Cybersecurity Program Assessment Tool • AWWA: Cybersecurity Risk Management Tool • ISO: ISO/IEC 27001 • ISA/IEC: ISO 62443 Series of Standards Page 1 of 5 Office of Water (4608T) EPA-810-F-23-004 2023 ------- Third-Party Assessment Resources: • CISA: CISA Cybersecurity Advisor (Coordinated though CISA Regions) • EPA: Water Sector Cybersecurity Evaluation Program Option 2: Primacy agency evaluation of cybersecurity practices during the sanitary survey States could choose for surveyors to evaluate cybersecurity practices directly during a sanitary survey of a PWS to identify cybersecurity gaps and determine if any of those gaps should be designated as significant deficiencies. This approach is consistent with how states conduct sanitary surveys of other components of PWS operations. Under this option, the state, rather than the PWS or a third party, would conduct the cybersecurity assessment and would direct the PWS to address any significant deficiencies that the state identifies. Please see the list of resources below to support states with this approach. Note: States may also use the self-assessment tools listed under Option 1. Resources available to support this approach: • EPA: Cybersecurity Assessment Tool and Risk Mitigation Plan Template • EPA: Cybersecurity Technical Assistance Program for the Water Sector Option 3: Alternative State Program for Water System Cybersecurity Several states have programs under which PWSs assess cybersecurity gaps in their current practices that could impact safe drinking water and implement controls to address those gaps. For example, a state homeland security agency may have a cybersecurity program covering all critical infrastructure in the state. States that currently have or that develop such a program may use this program as an alternative to including cybersecurity in PWS sanitary surveys. To be at least as stringent as a sanitary survey, state surveyors must ensure that the alternate state programs effectively identify cybersecurity gaps through an assessment and PWSs address any significant deficiencies if designated by the state. Further, the cybersecurity assessment must be conducted at least as often as the required sanitary survey frequency for the PWS (typically 3 or 5 years). Identifying Significant Deficiencies For cybersecurity, significant deficiencies should include the absence of a practice or control, or the presence of a vulnerability, that has a high risk of being exploited, either directly or indirectly, to compromise an operational technology used in the treatment or distribution of drinking water. Primacy agencies with additional questions on identifying significant deficiencies can submit a request for additional support at www.epa.Qov/waterriskassessment/forms/cybersecuritv-technical-assistance-water-utilities. Changes to Primacy Agency Recordkeeping and Reporting This interpretive rule does not require states to change their approved state primacy programs. 1. If PWS cybersecurity assessments are completed by an agent other than the Primacy Agency, the Primacy Agency must maintain a listing of approved agent(s). Office of Water (4608T) Page 2 of 5 EPA-810-F-23-004 2023 ------- 2. Primacy Agencies are not required to report the significant deficiency itself to EPA, but must report to EPA the date a system completed the corrective action. EPA Resources for Primacy Agencies and Public Water Systems Guidance on Evaluating Cybersecurity in PWS Sanitary Surveys Evaluating Cybersecurity in PWS Sanitary Surveys is a guidance document that includes an optional checklist of cybersecurity best practices that could be used to: • Assess cybersecurity at a PWS • Identify gaps, including potential significant deficiencies • Select remediation actions appropriate to the capabilities and circumstances of the PWS. Training for State Primacy Agencies and Public Water Systems EPA will offer training for states and PWSs on evaluating cybersecurity in sanitary surveys. Please register for the training at https://www.epa.aov/waterriskassessment/epa-cvbersecurity-best- practices-water-sector Virtual Sanitary Survey Cybersecurity Training for Primacy Agencies: This training will provide primacy agencies with an understanding of how to implement cybersecurity into sanitary surveys using Option 1, 2, or 3. It will also cover information protection, available support resources, and funding. Regional Sanitary Survey Cybersecurity Training for Primacy Agencies: This training will be conducted in-person and provide primacy agencies with an understanding of how to implement cybersecurity into sanitary surveys using Option 1, 2, or 3. It will also cover state-specific cybersecurity requirements, information protection, available support resources, and funding. Virtual Cybersecurity Assessment Training for Public Water Systems: This training will provide PWS staff with a detailed overview on how to conduct a cybersecurity self- assessment, identify vulnerabilities, and develop risk mitigation plans to prioritize, address, and mitigate the vulnerabilities found during the assessment. It will also cover information protection, available support resources, and funding. Office of Water (4608T) Page 3 of 5 EPA-810-F-23-004 2023 ------- EPA Direct Technical Assistance for Primacy Agencies and Public Water Systems Water Sector Cybersecurity Evaluation Program EPA's Water Sector Cybersecurity Evaluation Program will conduct a cybersecurity assessment for PWSs. The assessment will follow the Checklist in the guidance on Evaluating Cybersecurity in PWS Sanitary Surveys. The PWS will receive a report with responses to Checklist questions that shows gaps in cybersecurity, including potential significant deficiencies. The PWS should provide this report to the state to review during the sanitary survey, as discussed under Option 1. PWSs must register at https://www.epa.aov/waterriskassessment/forms/epas-water-sector-cybersecuritv-evaluation- program. Cybersecurity Technical Assistance Program for the Water Sector EPA has launched a new technical assistance program to support primacy agencies and water systems in implementing cybersecurity measures. Users may submit questions or request to consult with a subject matter expert regarding cybersecurity in PWS sanitary surveys. EPA will strive to have a response to the requester within two business days. Submit a request at http://www.epa.gov/waterriskassessment/ forms/cybersecurity-technical-assistancewater-utilities. Note: This service is not intended to provide emergency support. For support following a cyber incident, please report to the appropriate state authority and/or CISA at the following: https://us- cert. cisa. gov/forms/report Additional Technical Resources • CISA Cybersecurity Advisors (CSAs): CSAs offer cybersecurity assistance to critical infrastructure owners and operators and state, local, tribal and territorial governments. CSAs can assist with cyber preparedness, assessments and protective resources, partnership in public-private development, and cyber incident coordination and support. To locate your CSA email cyberadvisor(a>ha. dhs. gov. • United States Department of Agriculture (USDA) Rural Development Circuit Rider Program: USDA provides technical assistance, including cybersecurity analysis, to rural water systems serving 10,000 people or less. Rural water system officials may request assistance from the National Rural Water Association State Association or the local Rural Utilities Service office. Circuit Riders provide service in all states and territories. For more information, visit www, rd. usda. qov/proq rams-services/waterenviron mental-prog rams/circu it-riderproqra m- technical-assistance-rural-water-systems • Water Information Sharing and Analysis Center (ISAC): WaterlSAC is a source for data, case studies, and analysis on water security threats, including cybercrime, and provides resources to support response, mitigation, and resilience initiatives. For more information, visit www.waterisac.org. • Multi-State ISAC: MS-ISAC supports information sharing to improve the overall cybersecurity of state, local, tribal and territorial governments, assists cyber incident response and remediation, Page 4 of 5 Office of Water (4608T) EPA-810-F-23-004 2023 ------- and issues advisories with actionable information for improving cybersecurity. For more information visit http://www.cisecurity.org/ms-isac • Water Sector Associations: The American Water Works Association and National Rural Water Association offer cybersecurity education, guidance, and methods to assess cybersecurity risks and prioritize cybersecurity enhancements that are targeted specifically to PWSs. For more information: www.epa.aov/waterriskassessment/epa-cybersecuritv-best-practices-water- sector Office of Water (4608T) Page 5 of 5 EPA-810-F-23-004 2023 ------- |