Saturday, December 17, 2022

EPA Sends State Water Cybersecurity Memo to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received from the EPA a “Memorandum to State Drinking Water Administrators on Public Water System Cybersecurity”. This is not listed in the 2022 Spring Unified Agenda, so there is no specific information about what such a memorandum would contain.

Looking at various existing EPA websites relating to State supervision of local drinking water systems cybersecurity issues (see here and here), we can get a general idea of what types of actions the EPA could expect States to “require”:

• Inventory of control system assets,

• Network segregation and firewalls,

• Secure remote access technology,

• Access control and system logs,

• Vulnerability patch policy,

• Mobile device security policy,

• Cybersecurity training program,

• Management involvement, and

• Network intrusion detection and response plan

It is important to note that the EPA, for all but one or two States, has authorized State programs to supervise the local water treatment facilities, so as a practical matter, State agencies would be expected exercise cybersecurity oversight. Changing that State oversight would probably require legislative changes.

No comments:

/* Use this with templates/template-twocol.html */