On Friday, the Environmental Protection Agency (EPA) published their long-awaited memorandum on cybersecurity in the public water sector (PWS). The memo directs state water authorities to undertake cybersecurity reviews as part of their periodic ‘sanitary surveys’ required under 40 CFR 142.16(b)(3). For every State, except Wyoming, State agencies have ‘primacy’ over the enforcement of Federal and State public drinking water rules, and are thus responsible to ensure that the ‘sanitary surveys’ are conducted.
The EPA has also published an guidance document; ‘Evaluating Cybersecurity During Public Water System Sanitary Surveys’. This document duplicates much of the information provided in the memorandum, but provides additional information. Appendix A to the document provides a ‘Cybersecurity Checklist for Public Water System Sanitary Surveys’. Appendix B provides a more detailed description (usually with links to even more detailed discussions) for the questions provided in the Appendix A checklist. For the most part, the checklist is not really water system specific, almost any operational technology owner could use this checklist to evaluate their cybersecurity posture.
The EPA is soliciting public comments on the guidance
document, specifically sections 4 thru 8 and Appendix A and Appendix B.
Comments should be submitted via email to wicrd-outreach@epa.gov. They should be
submitted by May 31st, 2023. It will be interesting to see what comments
cybersecurity professionals have on the Checklist.
For more details about the Memorandum, including a discussion
about the basis for the EPA’s authority to expand the Sanitation Survey to
include a cybersecurity evaluation, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/epa-publishes-drinking-water-cybersecurity
- subscription required.
Posts
No comments:
Post a Comment