With over 42% of Water Treatment Plants having no Cyber Security, the May 31st 2023 EPA’s deadline is daunting for many Water Processing Plants. Cyber Physical protection is a critical area that must be addressed as part of the overall water plant security assessment.
In 2021, the Water Sector Coordinating Council conducted a survey of the US water and wastewater sector, finding nearly 60% of respondents reported conducting cybersecurity risk assessments less than once a year or never, or otherwise had no idea when they were. As a result, the US Environmental Protection Agency (EPA) has announced new rules that will require state governments to audit public water utilities for cybersecurity procedures and preparedness—and will allow regulators to force them to improve their security. While the EPA’s new guidance is intended for immediate implementation, the agency is accepting public comment until May 31, 2023. An extensive checklist the EPA has distributed states that “potential significant deficiencies” can include everything from use of default or insecure passwords in operational technology, to inadequate vulnerability mitigation for physical locations, to a lack of a named cybersecurity chief, separately stored backups, or incident response plan.
The EPA also cautioned that water utilities should install “independent cyber-physical safety systems” that would prevent dangerous conditions if the control system were compromised, such as a malicious actor gaining access to a control pump and raising the pH to hazardous levels. Best practices for cyber physical security include not only perimeter security with multi-factor authentication to ensure there is an audit trail of who accessed the facility with strong identity assurance to ensure that the individual is authorized for access but also to apply the same level of security for interior unmanned areas such as control rooms, key cabinets and MDF/IDF closets. BioConnect’s Trust platform is designed to provide a comprehensive cyber physical solution for all critical access points within a water treatment facility.