EPA Increasing Audit & Enforcement of Cybersecurity Rules
The Environmental Protection Agency (EPA) has recently issued an Enforcement Alert stressing the critical need for drinking water systems to immediately bolster their cybersecurity defenses. As cyberattacks on critical infrastructure, including community water systems (CWSs), become more frequent and sophisticated, the potential consequences for public health and safety have grown significantly. A successful cyberattack could disrupt water treatment and distribution processes, potentially leading to the contamination of water supplies and posing severe risks to communities.
Federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the Environmental Protection Agency (EPA), have issued multiple warnings about cyber threats targeting water and wastewater systems. Nation-state actors such as the Iranian Government Islamic Revolutionary Guard Corps (IRGC), Russian state-sponsored entities, and People’s Republic of China (PRC) state-sponsored cyber actors, including Volt Typhoon and Vanguard Panda, have been implicated. These adversaries have disrupted water systems and may have embedded capabilities to disable them in the future.
To combat these threats, the EPA has outlined several key actions that drinking water systems should implement immediately. These actions include reducing the exposure of critical systems to the internet, conducting regular and thorough cybersecurity assessments, and developing comprehensive incident response plans. Beyond criminal and civil enforcement actions for failures to comply, the EPA, CISA, and FBI strongly recommend system operators take steps outlined in the Top Actions for Securing Water Systems, which include:
Reduce exposure to public-facing internet.
Conduct regular cybersecurity assessments.
Change default passwords immediately.
Conduct an inventory of OT/IT assets.
Develop and exercise cybersecurity incident response and recovery plans.
Backup OT/IT systems.
Reduce exposure to vulnerabilities.
Conduct cybersecurity awareness training.
Violations and enforcement
Since September 2023, over 70% of systems inspected by the EPA have violated basic SDWA 1433 requirements, missing critical sections in their Risk and Resilience Assessments (RRA) and Emergency Response Plans (ERP). Inspectors found significant cybersecurity vulnerabilities, such as unchanged default passwords, shared logins, and access retained by former employees. Inadequate RRAs and ERPs often lacked assessments of system resilience and strategies for cybersecurity improvements. These violations compromise operational safety and compliance.
As part of the EPA’s multi-year National Enforcement and Compliance Initiative—Increasing Compliance with Drinking Water Standards—inspectors are intensifying checks on CWS compliance with SDWA Section 1433. Given the identified vulnerabilities and recent cyberattacks the EPA has signaled it intends to increase cybersecurity-focused inspections and has stated that if vulnerabilities pose imminent risks to public health, enforcement actions under SDWA Section 1431 may be necessary to mitigate these dangers.
Requirements Under Section 1433 of the Safe Drinking Water Act
Section 1433 of the Safe Drinking Water Act requires community water systems serving over 3,300 people to conduct Risk and Resilience Assessments (RRAs), develop Emergency Response Plans (ERPs), and certify their completion to the EPA. Additionally, systems must review their RRA and ERP every five years, revise them if necessary, and certify completion of these steps to EPA. These assessments must address natural hazards, malevolent acts (including cyberattacks), and resilience strategies. The emergency response plans must detail strategies for responding to the identified risks and ensuring the continuity of water services during and after an incident. This regulatory framework aims to ensure that water systems are well-prepared to handle various threats, safeguarding public health and water supply reliability.
How Dispel Helps CWSs Achieve Section 1433 Compliance and Process Efficiency
Dispel's Zero Trust Engine offers Secure Remote Access and Continuous Threat Detection designed to address the requirements of the water sector. Here’s how:
Reducing Internet Exposure
Dispel's Secure Remote Access provides a secure, encrypted connection for remote access to critical water system controls and implements a zero trust set of controls around and in the perimeter. By using Dispel's technology, water systems can minimize their exposure to the internet, significantly reducing the risk of unauthorized access and cyberattacks and aligns with the EPA's recommendation to limit internet exposure to essential systems.
Regular Cybersecurity Assessments
Dispel's Continuous Threat Detection continuously monitors the zero trust network for any signs of malicious behavior or vulnerabilities. This real-time monitoring ensures that any potential threats are identified and addressed promptly, enabling water systems to maintain a robust cybersecurity posture. This proactive approach supports the EPA's call for regular cybersecurity assessments and ongoing vigilance against potential threats. Monitoring and response are a pillar of assessments by providing testing and response pieces of assessments.
Change default passwords
Dispel password vaulting allows operators to use unique logins for all assets inside their networks immediately, and supports authenticator cycling on supported assets. Dispel allows operators to connect to IT and OT assets without needing to know the credentials to the target system, so long as they are in an approved session.
Conduct an inventory of OT/IT assets
Dispel asset inventory systems both allow for manual inventorying as well as integrations for automated inventorying of cyber physical systems. These then allow granular per-user, port, and protocol enforcement of access control rules.
Comprehensive Incident Response Plans
In the event of a cybersecurity incident, having a well-defined response plan is crucial. Dispel's solutions include features that facilitate quick identification, isolation, and mitigation of cyber threats. The ability to rapidly respond to incidents helps water systems minimize downtime and mitigate the impact of any potential cyberattacks, fulfilling the EPA's requirement for robust incident response planning.
Compliance with the Safe Drinking Water Act
By integrating Dispel's Secure Remote Access and Continuous Threat Detection into their operations, water systems can ensure compliance with Section 1433 of the Safe Drinking Water Act. These tools help in conducting risk and resilience assessments and developing emergency response strategies that are essential for protecting public health and ensuring the continuous supply of safe drinking water.
Where to go from here to get compliant
The EPA's recent enforcement alert underscores the importance of cybersecurity in protecting our nation's drinking water systems. By adopting advanced cybersecurity solutions like those offered by Dispel, water systems can significantly enhance their defenses against cyber threats. Secure Remote Access and Continuous Threat Detection provide the necessary tools to reduce internet exposure, perform regular assessments, and ensure rapid response to incidents, aligning with the EPA's stringent requirements. Ensuring the safety and reliability of drinking water infrastructure is paramount, and Dispel's solutions offer a comprehensive approach to achieving this goal.
