EPA Requires States to Address the Cybersecurity of Public Water Systems | Inside Privacy
EPA Requires States to Address the Cybersecurity of Public Water Systems
By Ashden Fein, Micaela McMurrough, Caleb Skeath & Matthew Harden on March 9, 2023
POSTED IN CYBERSECURITY
On March 3, 2023, the United States Environmental Protection Agency (“EPA”) published a memorandum requiring states to evaluate the cybersecurity of operational technology used by public water systems (“PWSs”) “when conducting PWS sanitary surveys or through other state programs.” EPA’s memorandum “interprets the regulatory requirements relating to the conduct of sanitary surveys to require that when a PWS uses operational technology, such as an industrial control system, as part of the equipment or operation of any required component of a sanitary survey, then the sanitary survey of that PWS must include an evaluation of the adequacy of the cybersecurity of that operational technology for producing and distributing safe drinking water.” EPA’s memorandum requiring states to address the cybersecurity of PWSs follows quickly after the White House’s release of its new National Cybersecurity Strategy, which calls for the need to use minimum cybersecurity requirements, as opposed to voluntary measures, in critical sectors to enhance national security and public safety. EPA’s focus on cybersecurity accords with the Strategy’s shift towards a more regulatory-focused cybersecurity approach. A new post on Covington’s Inside Energy & Environment blog discusses the EPA’s new memorandum on cybersecurity
By Ashden Fein, Micaela McMurrough, Caleb Skeath & Matthew Harden on March 9, 2023
POSTED IN CYBERSECURITY
On March 3, 2023, the United States Environmental Protection Agency (“EPA”) published a memorandum requiring states to evaluate the cybersecurity of operational technology used by public water systems (“PWSs”) “when conducting PWS sanitary surveys or through other state programs.” EPA’s memorandum “interprets the regulatory requirements relating to the conduct of sanitary surveys to require that when a PWS uses operational technology, such as an industrial control system, as part of the equipment or operation of any required component of a sanitary survey, then the sanitary survey of that PWS must include an evaluation of the adequacy of the cybersecurity of that operational technology for producing and distributing safe drinking water.” EPA’s memorandum requiring states to address the cybersecurity of PWSs follows quickly after the White House’s release of its new National Cybersecurity Strategy, which calls for the need to use minimum cybersecurity requirements, as opposed to voluntary measures, in critical sectors to enhance national security and public safety. EPA’s focus on cybersecurity accords with the Strategy’s shift towards a more regulatory-focused cybersecurity approach. A new post on Covington’s Inside Energy & Environment blog discusses the EPA’s new memorandum on cybersecurity