EPA Submits Cybersecurity Support Plan for Public Water Systems to Congress

Last week, the Environmental Protection Agency (EPA) submitted a “Technical Cybersecurity Support Plan for Public Water Systems” to Congress as required under the 2021 Infrastructure Investment and Jobs Act (IIJA), commonly referred to as the Bipartisan Infrastructure Law, or BIL. Congress directed EPA, in coordination with Cybersecurity and Infrastructure Security Agency (CISA), to develop the report detailing their approach for providing voluntary support to public water systems (PWSs). The report follows the release of a separate document required under the BIL, the Prioritization Framework,  that describes a methodology for prioritizing PWSs for technical cybersecurity support that “if degraded or rendered inoperable due to an incident, would lead to significant impacts on health and safety of the public.”

Pursuant to the BIL, the Support Plan outlines: “(i)…the methodology [as established by the Prioritization Framework] for identifying specific PWSs for which cybersecurity support should be prioritized, (ii)…timelines for making voluntary technical support for cybersecurity available to specific PWSs, (iii)…PWSs identified by [EPA], in coordination with [CISA], as needing technical support for cybersecurity, and (iv)…specific capabilities of [EPA] and [CISA] that may be utilized to provide support to PWSs…including (I) site vulnerability and risk assessments, (II) penetrations tests; and (III) any additional support determined to be appropriate by [EPA].”

Here’s a brief summary of the major components of the Plan:

1. The Prioritization Framework – the Framework is not a fixed prioritization, but rather a series of qualitative questions a PWSs would be required to answer for evaluating where EPA or CISA would target support resources in the event the “demand for cybersecurity support exceeds [EPA or CISA’s] near term capacity to respond.”
2. Timelines for Making Support Available – the Support Plan states that “the wait time to schedule facilitated assessments is minimal. For example, PWSs that register for EPA’s Water Sector Cybersecurity Technical Assistance Provider Program are contacted within a few days for a preliminary assessment, and…vulnerability scanning and web application scanning offered by CISA typically begin within one week of a facility returning the appropriate forms.” It is unclear if these timelines would hold given an increase in support requests as more systems seek assessments or follow-up assistance to mitigate vulnerabilities identified.
3. PWSs Identified as Requiring Technical Support  – small (less than 3,300) and non-community water systems who have not completed risk and resilience assessments, such as those required for all community water systems serving over 3,300 under the America’s Water Infrastructure Act of 2018 (AWIA), were identified as systems who “may have an elevated need…[for]..additional resources.” The Plan also identified a second category of PWSs who may need additional support; those who may discover vulnerabilities resulting from a cybersecurity assessment.
4. Capabilities of EPA and CISA to Provide Support – the last section lists the currently availability resources from EPA and CISA, as well as planned support resources scheduled for release in 2023. The Plan notes that other tools and resources exist beyond those detailed, including those from water sector organizations, such as AWWA and the WaterISAC, as well as the private sector. The resource list is organized into four categories: Assessments and Vulnerabilities, ICS, Vendor/Third-Party Management, and Training Courses and Exercises. On future offerings, the Plan outlines the Agency’s intention to develop a Checklist of Cybersecurity Best Practices that will accompany an online training course targeted at those small community and all non-community water systems who had not completed risk assessments under AWIA. EPA is also planning to stand up a service where subject matter experts are available to offer technical advice to PWSs on approaches to mitigating vulnerabilities in current cybersecurity practices, such as those identified through an assessment program.

ASDWA will continue to track developments as the Agency implements the Support Plan and will share information on new support resources as they become available.