Sunday, March 5, 2023

Review - EPA Publishes Drinking Water Cybersecurity Memo

On Friday, the Environmental Protection Agency (EPA) published their long-awaited memorandum on cybersecurity in the public water sector (PWS). The memo directs state water authorities to undertake cybersecurity reviews as part of their periodic ‘sanitary surveys’ required under 40 CFR 142.16(b)(3). For every State, except Wyoming, State agencies have ‘primacy’ over the enforcement of Federal and State public drinking water rules, and are thus responsible to ensure that the ‘sanitary surveys’ are conducted.

The EPA has also published an guidance document; ‘Evaluating Cybersecurity During Public Water System Sanitary Surveys’. This document duplicates much of the information provided in the memorandum, but provides additional information. Appendix A to the document provides a ‘Cybersecurity Checklist for Public Water System Sanitary Surveys’. Appendix B provides a more detailed description (usually with links to even more detailed discussions) for the questions provided in the Appendix A checklist. For the most part, the checklist is not really water system specific, almost any operational technology owner could use this checklist to evaluate their cybersecurity posture.

The EPA is soliciting public comments on the guidance document, specifically sections 4 thru 8 and Appendix A and Appendix B. Comments should be submitted via email to They should be submitted by May 31st, 2023. It will be interesting to see what comments cybersecurity professionals have on the Checklist.


For more details about the Memorandum, including a discussion about the basis for the EPA’s authority to expand the Sanitation Survey to include a cybersecurity evaluation, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */