EPA finalizes cyber technical support plan forwater systemsAugust 29, 2022 at 5:00 AMLast week EPA’s Office of Water finalized a report descri...

EPA finalizes cyber technical support plan forwater systemsAugust 29, 2022 at 5:00 AMLast week EPA’s Office of Water finalized a report descri...EPA finalizes cyber technical support plan for
water systems
August 29, 2022 at 5:00 AM
Last week EPA’s Office of Water finalized a report describing how it plans to provide
voluntary cybersecurity technical support to drinking water systems, the second of two
cyber-related actions that were mandated by Congress last year as part of the Bipartisan
Infrastructure Law (https://www.amwa.net/article/president-signs-infrastructure-bill-billionsdrinking-water).
The infrastructure law first required EPA to develop a “prioritization framework” to identify
public water systems that “if degraded or rendered inoperable due to an incident, would
lead to significant impacts on the health and safety of the public.” That framework
(https://www.amwa.net/system/files/contentattachments/EPA_Prioritization_Framework_May2022.pdf) was released in May and
outlined how EPA would prioritize delivering technical cybersecurity aid to water systems
during a scenario where the demand for such aid outstripped the agency’s near-term
capacity to provide it. That framework explained that EPA would prioritize delivering aid
based on factors such as the risk to downstream critical infrastructure and national security
assets, the capabilities of water systems to address vulnerabilities without federal support,
and the risk reduction benefits that would be achieved as a result of the support.
Second, EPA was directed to develop a Technical Cybersecurity Support Plan for public
water systems. The report was to include specific EPA and DHS cybersecurity resources
that may be utilized by water systems, timelines for making voluntary technical support
available to water systems, and a list describing systems in need of technical support.
EPA released this support plan (https://www.amwa.net/system/files/contentattachments/EPA_TechnicalCybersecuritySupportPlan_August2022.pdf) last week. It
includes four categories of technical cybersecurity support that are currently available to
public water systems, such as the Vulnerability Self-Assessment Tool
(https://vsat.epa.gov/vsat/) and the Cybersecurity Incident Action Checklist
(https://www.epa.gov/sites/default/files/2017-11/documents/171013-incidentactionchecklistcybersecurity_form_508c.pdf). It further explained that EPA would make additional
resources available beginning in 2023, such as a checklist of cybersecurity best practices
for small water systems, and new technical support to help public water systems address
vulnerabilities in current cybersecurity practices.
During development of the infrastructure law last year AMWA expressed concerns to
congressional staff about the provision in the bill requiring EPA to “list” water systems in
need of additional technical support, warning that it could guide hackers and cyber criminals
EPA finalizes cyber technical support plan for water systems | Page: 1 of 2
toward unprepared water systems. Fortunately, EPA’s report did not include an actual
named list of water systems. Instead, the agency broadly identified “two situations where
[public water systems] may have an elevated need for technical cybersecurity support”:
small water systems that were not required to complete a risk and resilience assessment
under America’s Water Infrastructure Act of 2018, and where vulnerabilities are identified
during a water system’s cybersecurity assessment.
Congress is expected to continue to have an interest in water system cybersecurity, so
AMWA will continue to promote legislative and regulatory approaches that boost cyber
defenses without imposing new regulatory burdens or inadvertently increasing risk.
Back to August 29, 2022 (https://www.amwa.net/monday-morning-briefing/august-29-2022)
Source URL: https://www.amwa.net/article/epa-finalizes-cyber-technical-support-planwater-systems