In response to increasing cyberattacks against U.S. public water systems, the U.S. Environmental Protection Agency (EPA) has announced that it will be stepping up enforcement of the cybersecurity requirements spelled out in the Safe Drinking Water Act (SDWA) and the America’s Water Infrastructure Act (AWIA). These laws require community water services to perform regular Risk and Resilience Assessments (RRAs) of their infrastructure and develop appropriate response plans. Unsurprisingly, cybersecurity plays a key role in both of these requirements.
This increased scrutiny comes in response to a wave of state-sponsored cyberattacks against U.S. critical infrastructure, particularly public water and wastewater systems. Potential adversaries include the PRC-affiliated Volt Typhoon group, pro-Russian hacktivist groups, and arms of the Iranian Government Islamic Revolutionary Guard Corps (IRGC) which have all been tied to cyber incidents in U.S. water systems. Naturally, such activity raises the risk of these or similar threat actors attempting to disrupt the U.S. water supply in the future.
Requirements, Deadlines, and Enforcement
AWIA Section 2013 states that any water system serving more than 3,300 people must perform an initial Risk and Resilience Assessment. The RRA “must include ‘electronic, computer, or other automated systems (including the security of such systems),’ otherwise known as cybersecurity.” Next, the organization must develop a written Emergency Response Plan (ERP) within six months of completing the risk assessment. The ERP must address both the physical security and cybersecurity of systems and define a clear strategy for mitigating risks, detecting threats, and responding to incidents.
Initial certifications began in 2020 with deadlines being staggered by the size of the community water system (see table below). However, the EPA has found many of these initial efforts lacking. Inspections beginning in 2023 found that over 70% of systems failed to meet basic requirements including missing sections of the RRA and ERP. This high failure rate has spurred EPA to further increase the number of inspections going forward.
EPA also has a variety of enforcement options when violations are found. Section 1431, Emergency Powers gives the EPA the authority to force corrective action and can require water systems to provide alternate sources of water for users until problems are resolved. Additionally, EPA can levy civil penalties of up to $15,000 for every day that the system is out of compliance.
And even for systems that are in compliance today, there are new certifications on the horizon. The law states that each RRA and ERP must be updated every 5 years, so the next round of certifications will begin in March 2025. So whether due to increased EPA inspections or looming recertification deadlines, most every community water system should be thinking about cybersecurity.
| Population Served | RRA Deadline | ERP Deadline |
|---|---|---|
| ≥100,000 | March 31, 2025 | September 30, 2025 |
| 50,000-99,999 | December 31, 2025 | June 30, 2026 |
| 3,301-49,999 | June 30, 2026 | December 31, 2026 |
Key Steps for Better Cybersecurity
The EPA provides a variety of guidance for water systems that are seeking to enhance their cybersecurity posture. Earlier this year, the EPA, FBI, and CISA jointly published the following list of recommendations titled, Top Cyber Actions for Securing Water Systems:
- Reduce exposure to public-facing internet
- Conduct regular cybersecurity assessments
- Change default passwords immediately
- Conduct an inventory of OT/IT assets
- Develop and exercise cybersecurity incident response and recovery plans
- Backup OT/IT systems
- Reduce exposure to vulnerabilities
- Conduct cybersecurity awareness training
While this list provides a good high-level starting point, the EPA also provides resources such as the Water Cybersecurity Assessment Tool and Risk Mitigation Template (xslx). This guide notably has sections dedicated to Vulnerability Management, Device Security, and Supply Chain Security, all of which are areas where Eclypsium can help as detailed in the table below.
Instructions on how to use the tool can be found in the Water Sector Cybersecurity Risk Management Guidance from the American Water Works Association. This document also includes cross-references with NIST standards and the NIST Cyber Security Framework (CSF) meant to help water and wastewater utilities with AWIA §2013 compliance. Notably, the NIST CSF specifically calls for monitoring of firmware integrity in IT and OT systems, which is a capability that many organizations rely on Eclypsium to assist with.
| General Cybersecurity Security Controls Eclypsium Helps With |
| Vulnerability Management – Finding and mitigating vulnerabilities is a cornerstone of any security practice. This requirement is even more pronounced in water systems which rely on a complex mix of IT, OT, and IoT assets. In many cases, these devices may rely exclusively on firmware or other integrated code, making it all the more important to identify vulnerabilities or misconfigurations at the firmware level. |
| Device Security – Organizations will need to establish and maintain an up-to-date inventory of all assets with an IP address. This specifically includes maintaining a record of all configurations and code down to the firmware level of the asset. Tools such as Eclypsium can automate these assessments even down to the firmware within individual components within an asset, alerting staff to any vulnerabilities or misconfigurations that could be the device at risk. |
| Supply Chain Security – This section calls out the need to “include cybersecurity as a criterion when procuring assets and services.” Once again, Eclypsium can automate these tasks by providing an automated security assessment of prospective vendor devices. In addition to revealing vulnerabilities or other weaknesses, Eclypsium can verify that each asset conforms to vendor-supplied software bill of materials (SBOMs), and to verify the integrity of each asset to ensure it has not been tampered with or modified in the supply chain. |
Key Take-Aways
It is important to note that this enhanced focus on cybersecurity is not unique to the EPA or public water systems. Nation-state adversaries have increasingly targeted a wide range of critical infrastructure and services in the United States, which in turn, has forced federal agencies to step up their level of oversight. For example, to protect the power grid, NERC has enhanced its Critical Infrastructure Protection or CIP, the Department of Health and Human Services (HHS) has published enhanced Acceptable Risk Safeguards (ARS) to protect medical data, and the FBI’s Criminal Justice Information Services have stepped up requirements and auditing for law enforcement agencies that use FBI data.
And when it comes to critical infrastructure such as power and water, the greatest risk is that adversaries would be able to disrupt or contaminate services. This is precisely why there is such a renewed focus on device-level and firmware security. By corrupting firmware, attackers can completely disable devices in ways that are extremely hard to recover from if at all. Attackers have already demonstrated the ability to “brick” servers and laptops by corrupting firmware, however the stakes are greatly magnified if and when those techniques are applied to critical infrastructure or the systems that support them.
This is why organizations simply must be able to assess their critical assets at all levels including all supply chain code and components. Staff must be able to consistently audit the posture and verify the integrity of each device. Eclypsium’s Supply Chain Security Platform specializes in these tasks, and can turn highly technical audits into simple automated scans.
To learn more, we encourage you to schedule a demo with the Eclypsium team or review any of the following resources:
