EPA to Increase Inspections and Take Enforcement Actions to Protect U.S. Water Systems from Cyber Attacks
The U.S. Environmental Protection Agency (EPA) has issued an enforcement alert ensuring community water systems (CWSs) comply with the Safe Drinking Water Act (SDWA) in an effort to prevent disruptive cyber attacks, including those by nation-state actors.
“Section 1433 of the Safe Drinking Water Act (SDWA) requires all CWSs serving more than 3,300 people to conduct Risk and Resilience Assessments (RRAs), develop Emergency Response Plans (ERPs) and certify their completion to EPA,” the agency stated.
According to CPO, Water system operators must review their RRAs and ERPs every five years and possibly revise them while certifying the whole process with the EPA.
“These assessments and plans help water systems to evaluate and reduce risks from both physical and cyber threats,” the agency said.
The move aims to reduce cybersecurity vulnerabilities that adversaries could exploit to disrupt water supply or endanger consumers’ safety.
The EPA noted that “threats to, and attacks on” water and wastewater systems have recently increased in frequency and severity, reaching “to a point where additional action is critical.”
Subsequently, the EPA would increase inspections to ensure compliance and take enforcement actions for violations. The agency also outlined the steps that operators should follow to comply with SDWA and additional resources and tools to improve the water sector’s cyber resiliency.
