By Richard Robinson | April 2023
The Environmental Protection Agency’s memorandum on “Addressing PWS Cybersecurity in Sanitary Surveys or an Alternate Process” is a “guide” for public water systems (PWS) to evaluate and improve their cybersecurity posture. The memorandum does provide some useful guidance and recommendations for PWS to identify, assess, and manage cybersecurity risks in their operations, including conducting vulnerability assessments, developing incident response plans, and implementing cybersecurity controls.
One of the strengths of this memorandum is that it acknowledges the unique challenges and limitations that PWS is confronted with in implementing cybersecurity measures, such as limited financial resources or technical expertise. The memorandum does provide practical recommendations that are tailored to the specific needs and resources of PWS, such as prioritizing critical assets and systems, and leveraging existing resources and partnerships.
However, there are significant limitations and challenges associated with the memorandum. For example, while the guidance provides detailed instructions for conducting vulnerability assessments and implementing cybersecurity controls, it does not provide sufficient guidance for PWS on how to prioritize and allocate resources to address the most critical risks. Additionally, the guidance does not sufficiently address the rapidly evolving cybersecurity threat landscape and may not be comprehensive enough to address all potential risks and vulnerabilities.
There are a few deficiencies in the memorandum. Some of these include:
Lack of specificity: While the memorandum provides general guidance on how public water systems (PWS) can improve their cybersecurity posture, it does not provide enough detail on how to implement specific controls or address specific vulnerabilities.
Insufficient guidance for small PWS: The memorandum does not provide enough guidance for small PWS that may have severely limited resources or technical expertise to implement cybersecurity measures.
Lack of clarity on compliance requirements: While the memorandum provides recommendations for PWS to improve their cybersecurity posture, it is not entirely clear whether compliance with these recommendations is mandatory or voluntary, I will guess mostly voluntary.
The memorandum mainly focuses on conducting vulnerability assessments, developing incident response plans, and implementing cybersecurity controls. However, there are other substantive and more impactful areas of cybersecurity, such as ICS/SCADA physical communications monitoring (IP and Non-IP), Asset and Inventory management, threat intelligence or network segmentation, that should also be of critical importance for PWS to consider.
The memorandum also does not explicitly require Public Water Systems to monitor ICS/SCADA communications. So, while monitoring ICS/SCADA communications is not explicitly required, it is an important and critical consideration for PWS in enhancing their cybersecurity resilience.
Requiring the monitoring of ICS/SCADA (Serial, analog and IP) communications could improve the Environmental Protection Agency position in providing appropriate guidance to PWS in several ways.
First, monitoring ICS/SCADA communications can help identify and prevent potential cyber threats to the Public Water Systems. This is because monitoring can provide real-time visibility into the network traffic, allowing for the detection of any anomalous or suspicious behavior. This can help identify any potential cyberattacks early, allowing for a timely response to prevent or mitigate the impact of the attack.
Secondly, monitoring ICS/SCADA communications can help in the identification of vulnerabilities in the Public Water System’s network infrastructure. By analyzing network traffic, security teams can identify any weak points in the network infrastructure that may be exploited by attackers. This information can then be used to proactively implement security controls to prevent any potential cyber threats.
Finally, monitoring ICS/SCADA communications can help in the forensic investigation of any cyber incidents that may occur in the future. By having detailed network traffic logs, it becomes easier to trace the origin of an attack, understand its impact, and implement measures to prevent similar attacks in the future. By not requiring this as part of the memorandum is missing a fundamental component in improving PWS cyber security posture.
The memorandum also does not explicitly require Public Water Systems (PWS) to provide Inventory and Asset Management reporting on their ICS/SCADA systems.
Requiring asset and inventory management of ICS/SCADA systems can significantly improve the Environmental Protection Agency’s position in addressing cyber security concerns for Public Water Systems. By requiring the keeping a record of all the assets and inventory related to the ICS/SCADA systems, Public Water Systems can better understand their network and system topology, including potential vulnerabilities and risks. This information can help in the identification of critical assets and systems that require more protection and monitoring.
Asset and inventory management can also assist in maintaining the cybersecurity resilience of the Public Water Systems. As the systems and components age or become outdated, Public Water Systems can identify these components and take necessary action to update them to maintain their security posture. It can also help to identify potential security risks, such as unsupported software and hardware, and enable the Public Water Systems to take proactive measures to mitigate these risks.
In addition, asset and inventory management can provide a baseline for detecting and responding to cyber incidents. By comparing the network’s current state to the baseline, Public Water Systems can identify anomalies that may indicate potential cyber threats. This information can help in the quick detection of security incidents and response.
Therefore, requiring asset and inventory management of ICS/SCADA systems can be a critical component in effectively addressing cybersecurity concerns for Public Water Systems.
Going forward there are several ways the EPA’s approach could be improved in addressing cybersecurity concerns for Public Water Systems:
Clearer guidance on cybersecurity requirements: The memorandum could provide more explicit guidance on the specific cybersecurity requirements for Public Water Systems. This could include details on which systems should be protected, the types of cybersecurity controls that should be in place, and how to effectively implement these controls.
Mandatory cybersecurity assessments: The memorandum could make cybersecurity assessments mandatory for all Public Water Systems, rather than just recommended. This would ensure that all systems are regularly assessed for cybersecurity risks and vulnerabilities, and appropriate action is taken to mitigate them.
Increased technical expertise: The memorandum could encourage Public Water Systems to hire or contract with cybersecurity experts to help identify and address cybersecurity risks. This would help ensure that Public Water Systems have the necessary technical expertise to effectively implement cybersecurity controls and respond to incidents.
More robust incident response planning: The memorandum could provide guidance on developing and implementing incident response plans that are tailored to the unique needs of Public Water Systems. This could include details on incident detection and reporting, incident response roles and responsibilities, and steps to be taken to minimize damage and restore normal operations following an incident.
Increased funding and resources: The memorandum could encourage increased funding and resources to support Public Water Systems in their efforts to improve cybersecurity resilience. This could include federal grants and other funding opportunities, as well as access to technical expertise and training resources.
Requiring the monitoring of ICS/SCADA (Serial, analog and IP) communications could improve the Environmental Protection Agency’s memorandum on “Addressing PWS Cybersecurity in Sanitary Surveys or an Alternate Process” in addressing cybersecurity concerns for Public Water Systems in several ways.
Requiring asset and inventory management of ICS/SCADA systems can significantly improve addressing cyber security concerns for Public Water Systems. By keeping a record of all the assets and inventory related to the ICS/SCADA systems, Public Water Systems can better understand their network and system topology, including potential vulnerabilities and risks. This information can help in the identification of critical assets and systems that require more protection and monitoring.
Lastly, the memorandum does not provide a specific definition of what it means for a Public Water System to be “compliant” with the guidance. Instead, the memorandum provides guidance on how Public Water Systems can evaluate their cybersecurity posture and identify areas for improvement. It is ultimately up to each Public Water System to determine what actions they need to take to improve their cybersecurity resilience. In the longer run this will not be adequate to address the challenges that PWS currently faces or will continue to face.