Under the Biden administration, the nation's essential infrastructure has largely been strengthened through fiat, with executive orders primarily aimed at tightening cybersecurity standards for major businesses.
The next area is public water systems, but this time the Environmental Protection Agency (EPA) is utilizing its authority to compel states to address public health risks.
The EPA document views holes in public water systems as potential sources of pollution and hence as a risk to the public's health that falls under its purview. The new cybersecurity standards are a part of a directive to add additional components to routine "sanitary surveys," which was made after a thorough EPA study revealed that many public water systems nationwide lack cybersecurity plans.
Public water systems were under pressure to be the next system to upgrade defences after pipeline and power mandates.
Despite threat actors' increased targeting of public water systems, the EPA finds that these systems frequently lack an acceptable cybersecurity programme or none at all. Now, these utilities must conduct recurring audits to look for "serious weaknesses" such known security flaws or a lack of security measures.
But, the agency is providing a range of choices for public water systems to satisfy these new cybersecurity criteria. The utilities may self-evaluate using a variety of public and private sector standards, such as NIST or ISO, provided that this choice is permitted by the state in question.
The state also has the option of sending its own surveyors. The emergency agency or a comparable entity can continue to undertake inspections in states that are ahead of the curve and already carry out such checks. When flaws are discovered in public water systems, states are also given the authority to require further risk mitigation strategies, which are subsequently evaluated during sanitary assessments. The EPA is providing states with technical support for creating and adhering to cybersecurity regulations.