Last week EPA’s Office of Water finalized a report describing how it plans to provide voluntary cybersecurity technical support to drinking water systems, the second of two cyber-related actions that were mandated by Congress last year as part of the Bipartisan Infrastructure Law.
The infrastructure law first required EPA to develop a “prioritization framework” to identify public water systems that “if degraded or rendered inoperable due to an incident, would lead to significant impacts on the health and safety of the public.” That framework was released in May and outlined how EPA would prioritize delivering technical cybersecurity aid to water systems during a scenario where the demand for such aid outstripped the agency’s near-term capacity to provide it. That framework explained that EPA would prioritize delivering aid based on factors such as the risk to downstream critical infrastructure and national security assets, the capabilities of water systems to address vulnerabilities without federal support, and the risk reduction benefits that would be achieved as a result of the support.
Second, EPA was directed to develop a Technical Cybersecurity Support Plan for public water systems. The report was to include specific EPA and DHS cybersecurity resources that may be utilized by water systems, timelines for making voluntary technical support available to water systems, and a list describing systems in need of technical support.
EPA’s support plan includes four categories of technical cybersecurity support that are currently available to public water systems, such as the Vulnerability Self-Assessment Tool and the Cybersecurity Incident Action Checklist. The plan further explained that EPA would make additional resources available beginning in 2023, such as a checklist of cybersecurity best practices for small water systems, and new technical support to help public water systems address vulnerabilities in current cybersecurity practices. Access the EPA Technical Cybersecurity Support Plan at the attachment below.