Critical Infrastructure Regulations
Cybersecurity for Public Water Systems
Implementing EPA’s Cybersecurity Guidance
In March 2023, the U.S. Environmental Protection Agency (EPA) issued new regulations1 directing states to include cybersecurity when conducting sanitation surveys, or audits, of public water systems. Tenable makes it easy to comply with this guidance, while maintaining the security and productivity of your systems.
Request a Demo
How Tenable Can Help
In its “Cybersecurity Checklist for Public Water Systems Sanitary” Surveys (appendix A of the EPA document, “Evaluating Cybersecurity During Public Water System Sanitary Surveys”), the agency outlines various approaches public water systems can use to include cybersecurity in sanitary surveys or other state programs. The goal of the sanitary surveys are to ensure states effectively identify significant deficiencies and that water systems then correct those significant deficiencies — including cybersecurity-related significant deficiencies — that could impact safe drinking water.
This is only a partial list of EPA checklist items. For the complete list, please visit epa.gov.
Account Security
Regulation / Recommendation
- 1.1Detect and block repeated unsuccessful login attempts
- 1.2Change default passwords
- 1.4Require a minimum length for passwords
How We Help
- 1.1, 1.2, 1.4Tenable audits operating system (OS) configurations to ensure the control is active and will identify incorrect configuration via reports.
Device Security
Regulation / Recommendation
- 2.2Disable Microsoft Office macros, or similar embedded code, by default on all assets
- 2.3Maintain an updated inventory of all OT and IT network assets
- 2.5Maintain current documentation detailing the set-up and settings (i.e., configuration) of critical OT and IT assets
How We Help
- 2.2Tenable audits OS configuration to ensure the control is active and will identify incorrect configuration via reports.
- 2.3Tenable provides enterprise visibility, asset discovery and mapping.
- 2.5Tenable establishes baseline settings on all OT devices and tracks deviations from the baseline, identifying configuration changes.
Data Security
Regulation / Recommendation
- 3.1Collect security logs (e.g., system and network access, malware detection) to use in both incident detection and investigation?
How We Help
- 3.1Tenable collects network traffic and creates logs for use in forensic investigations.
- 3.2Tenable stores security logs and can forward logs securely to third-party data repositories such as a SIEM or SOAR.
Vulnerability Management
Regulation / Recommendation
- 5.1Patch or otherwise mitigate known vulnerabilities within the recommended time frame
- 5.4Ensure assets connected to the public internet expose no unnecessary exploitable services (e.g., remote desktop protocol)
How We Help
- 5.1Tenable leverages domain expertise in industrial security for OT assets, and Nessus for IT assets. Tenable’s VPR scoring generates vulnerability and risk levels using each asset in your ICS network. Reports include detailed insights, along with mitigation suggestions. This enables authorized personnel to quickly identify the highest risk for priority remediation.
- 5.4Tenable maps open ports and services allowing remediation.
Response and Recovery
Regulation / Recommendation
- 7.4Maintain updated documentation describing network topology (i.e., connections between all network components) across water system OT and IT networks
How We Help
- 7.4Tenable maps the network and baselines communications between all discovered devices, aiding in the incident response (IR) process.
Available Government Funding for Water Utilities
Funding is available for states and communities to meet cybersecurity threats through loans and set-asides provided through the Drinking Water State Revolving Fund (DWSRF). The EPA Fact Sheet expressly states, “EPA encourages states to utilize the significant increase in SRF funding for infrastructure projects that make water systems more resilient to all threats — whether it is natural disasters, climate change or threats such as bioterrorism and cyberattacks.” EPA also posted this SRF Cybersecurity Fact Sheet that details how to use the DWSRF to support state programs and communities with cybersecurity measures.

1Three states and utility groups are challenging the legality of EPA’s cybersecurity rule in federal court.
The regulation and government funding information provided on this web page is dynamic and subject to change. We recommend referring to https://www.epa.gov for the most up-to-date information.