Policy Explainer

New EPA Mandatory Requirement Shows What’s to Come for Critical Infrastructure Cybersecurity Regulation

The Environmental Protection Agency (EPA) released mandatory regulations aimed at the cybersecurity of U.S. water filtration systems by requiring states to survey the networks governing drinking water filtration operations. The EPA has provided guidance to help state governments take its first steps on this project and will continue to provide resources to help states evaluate their water systems’ security. 

Attacks on critical infrastructure throughout the United States have been on the rise, including on these essential water systems. In 2021, outside of Tampa, Florida, there was an attack on the water filtration system that provides water to 15,000 people. The malware used attempted to add dangerous additives that could have put the community’s health at risk. Also in 2021, there was an attack on the water systems that served a Nevada community. The malicious actor used an unknown ransomware to disrupt the SCADA (Supervisory Control and Data Acquisition) and backup systems. SCADA systems control, monitor, and analyze industrial devices and processes. In August of 2021, a cyber actor used a Ghost variant of ransomware against a California-based water and wastewater system. The ransomware was dormant and went unnoticed until it was discovered a month later when data servers displayed ransomware messages.

In general, public water systems or PWSs have, thus far, not been subject to heavy mandatory regulations. However, according to the EPA’s memo, recent cyberattacks demonstrate that “many PWSs have failed to adopt basic cybersecurity best practices and consequently are at high risk of being victimized by a cyber-attack.” 

These systems are extremely complex and every moving part is there to ensure public health. If something were to be maliciously changed it could endanger whole cities. EPA Assistant Administrator for Water Radhika Fox said that the “EPA is taking action to protect our public water systems by issuing this memorandum requiring states to audit the cybersecurity practices of local water systems.”

This memo was released alongside the much-anticipated National Cyber Strategy. This strategy, released in early March 2023, focuses on 5 major categories:

  1. Defending critical infrastructure
  2. Fostering more international partnerships
  3. Increasing federal investments in cyber research and development 
  4. Promoting data privacy in tech development stages 
  5. Disrupting threat actors

As part of executive agencies’ efforts to support the administration’s “defending critical infrastructure” priority, additional mandatory requirements are expected to be rolled out over the coming months. 

Previously, the White House tried to encourage industry opt-in to voluntary programs like CISA’s Automated Indicator Sharing (AIS) and through various guidelines put out over the years. Just as voluntary incident reporting has fallen to the wayside to the recently passed mandatory incident reporting for critical infrastructure, these projects will soon be overridden across all critical infrastructure industries in favor of mandatory regulations.  The EPA was quick to release its version of this change, but others are sure to follow in all 16 critical infrastructure sectors.