On March 3, 2023, USEPA issued the guidance document and memorandum that were identified in the Press Release. The guidance document (dated February 2023) and interpretative memorandum (dated March 3, 2023) are attached below.
Please review the documents since it looks like a water system's cybersecurity program will be assessed during sanitary surveys. USEPA, Region 9, has indicated that training is planned for both the states and utilities. The (primacy) states will need to identify what of three approaches it will select for assuring cybersecurity evaluations of public water systems that have "operational technology" as part of their system operations.
There are Fact Sheets and other information on USEPA's website. The link also lists upcoming (webinar) training on evaluating cybersecurity programs for water systems. You will need to register for the two-part training.
The USEPA issued a press release on March 3, 2023, about improving cybersecurity resilience for public water systems. The link to the press release is at:
Please be on the lookout for the memorandum/guidance document from USEPA that will require the state (primacy) agencies to survey cybersecurity "best practices" of public water systems.
March 3, 2023- Cybersecurity Assessments to be Included in Sanitary Surveys
EPA released a legal opinion that cyber security resiliency falls under their existing authority under the Safe Drinking Water Act. The memorandum conveys EPA’s interpretation that states must include cybersecurity when conducting sanitary surveys for the nation's 143,219 public water systems. The memorandum also highlights different approaches for states to fulfill this responsibility.
NRWA and its 50 State Affiliates have always been committed to ensuring small and rural utilities have the support and resources they need to serve their communities. In this respect, cyber resiliency is just as vital as updated and working infrastructure. Rural Water is committed to assisting these small and rural systems in ensuring that their cybersecurity is sufficient to meet this evolving threat.
However, EPA’s approach to addressing this issue through the sanitary survey program may not prove to be as effective as many would like. NRWA will continue collaborating with EPA and key stakeholders to foster better results to mitigate cyber threats facing the water sector, especially for small and rural water utilities.
EPA is not proposing a new rule for this action as this is a legal interpretation of existing authority. The memorandum is effective immediately. NRWA and all other water associations, plus the National Conference of Mayors, League of Cities, and the National Association of Counties have expressed concerns to EPA. Rural Water members are advised to contact their state primacy agencies for more information on the rollout of this mandate.
January 18, 2023- As the leader in cybersecurity services, IronTech Security wants to support you as you serve your members. We believe creating a security-first culture starts with identifying and preventing employee technology vulnerabilities before they cause a breach.
Attached is an article titled “What is the CEO’s Role in Cybersecurity?”