Critical Infrastructure Regulations
Cybersecurity for Public Water Systems
Improving Cybersecurity Across the Water Sector Remains one of EPA’s Highest Priorities
The U.S. Environmental Protection Agency (EPA) continues to underscore that adopting cybersecurity best practices at drinking water and wastewater utilities is essential to protect communities from the increasing number and severity of cyber-threats facing our nation’s water systems. EPA encourages all states to voluntarily review public water system cybersecurity programs to ensure that any vulnerabilities are identified and corrected, and assistance is provided to systems that need help. See Fact Sheet: EPA’s Cybersecurity Resources for Drinking Water and Wastewater Systems.
Request a DemoHow Tenable Can Help
EPA’s Water Cybersecurity Assessment Tool (WCAT) helps water systems self-assess their cybersecurity practices. The tool utilizes EPA’s Cybersecurity Checklist, which contains the basic cybersecurity controls needed to build a strong cybersecurity program. Tenable makes it easy for water utilities to meet EPA’s checklist and cybersecurity best practices, while maintaining the security and productivity of your systems.
This is only a partial list of EPA checklist items. For the complete list, please see here and here.
1.0 Account Security
Regulation / Recommendation
- 1.1Detect and block repeated unsuccessful login attempts
- 1.2Change default passwords
- 1.4Require a minimum length for passwords
How We Help
- 1.1, 1.2, 1.4Tenable audits operating system (OS) configurations to ensure the control is active and will identify incorrect configuration via reports.
2.0 Device Security
Regulation / Recommendation
- 2.2Disable Microsoft Office macros, or similar embedded code, by default on all assets
- 2.3Maintain an updated inventory of all OT and IT network assets
- 2.5Maintain current documentation detailing the set-up and settings (i.e., configuration) of critical OT and IT assets
How We Help
- 2.2Tenable audits OS configuration to ensure the control is active and will identify incorrect configuration via reports.
- 2.3Tenable provides enterprise visibility, asset discovery and mapping.
- 2.5Tenable establishes baseline settings on all OT devices and tracks deviations from the baseline, identifying configuration changes.
3.0 Data Security
Regulation / Recommendation
- 3.1Collect security logs (e.g., system and network access, malware detection) to use in both incident detection and investigation?
- 3.2Protect security logs from unauthorized access and tampering?
How We Help
- 3.1Tenable collects network traffic and creates logs for use in forensic investigations.
- 3.2Tenable stores security logs and can forward logs securely to third-party data repositories such as a SIEM or SOAR.
5.0 Vulnerability Management
Regulation / Recommendation
- 5.1Patch or otherwise mitigate known vulnerabilities within the recommended time frame
- 5.4Ensure assets connected to the public internet expose no unnecessary exploitable services (e.g., remote desktop protocol)
How We Help
- 5.1Tenable leverages domain expertise in industrial security for OT assets, and Nessus for IT assets. Tenable’s VPR scoring generates vulnerability and risk levels using each asset in your ICS network. Reports include detailed insights, along with mitigation suggestions. This enables authorized personnel to quickly identify the highest risk for priority remediation.
- 5.4Tenable maps open ports and services allowing remediation.
7.0 Response and Recovery
Regulation / Recommendation
- 7.4Maintain updated documentation describing network topology (i.e., connections between all network components) across water system OT and IT networks
How We Help
- 7.4Tenable maps the network and baselines communications between all discovered devices, aiding in the incident response (IR) process.
Available Government Funding for Water Utilities
Funding is available for states and communities to meet cybersecurity threats through loans and set-asides provided through the Drinking Water State Revolving Fund (DWSRF). The EPA Fact Sheet expressly states, “EPA encourages states to utilize the significant increase in SRF funding for infrastructure projects that make water systems more resilient to all threats — whether it is natural disasters, climate change or threats such as bioterrorism and cyberattacks.” EPA also posted this SRF Cybersecurity Fact Sheet that details how to use the DWSRF to support state programs and communities with cybersecurity measures.
Additional cybersecurity funding sources for water utilities include:
- Clean Water State Revolving Fund (CWSRF): Provides assistance to any public, private, or nonprofit entity for measures to increase the security of publicly owned treatment works, including cybersecurity.
- Drinking Water System Infrastructure Resilience and Sustainability Program: This grant program can be used for planning, design, construction, implementation, operation, or maintenance of a program or project that increases resilience of public water systems, including cybersecurity.
- CISA State and Local Cybersecurity Grant Program (SLCGP): Cybersecurity grant program for states, cities, counties, and towns from state administrative agency. Sub-award applications for cities, counties and towns must be submitted to the respective state administrative agency.
- Tribal Cybersecurity Grant Program: DHS grant program for tribal governments to help address cybersecurity risks and threats to their information systems and improve their security
The U.S. Environmental Protection Agency (EPA) withdrew its interpretive memorandum, Addressing Public Water System Cybersecurity in Sanitary Surveys or an Alternate Process, on Oct 11, 2023, due to litigation.
The information provided on this web page is dynamic and subject to change. We recommend referring to https://www.epa.gov for the most up-to-date information.