EPA preps cyber rule for water sector

By Lamar Johnson, Hannah Northey | 07/29/2022 04:12 PM EDT

As cyberthreats at water facilities continue to mount across the country, a White House official said EPA will soon issue a rule to expand regular reviews to include cybersecurity.

Water faucet with binary code hacking  illustration.

A White House official this week said EPA is poised to impose new rules that would require states to assess cybersecurity measures at water utilities. Photo credit: Claudine Hellmuth/E&E News (illustration/animation); EPA (faucet); Kjpargeter/FreePik (binary code)

EPA is poised to announce a new rule that would require states to oversee more than 1,000 water utilities’ cybersecurity plans, according to a top White House official.

Anne Neuberger, deputy national security adviser for cyber and emerging technology, said at an event hosted by the Center for a New American Security yesterday that EPA will be issuing a rule “shortly” to expand the regular reviews to include cybersecurity as threats at facilities mount across the country.

Neuberger’s comments were first reported by POLITICO yesterday.


The water sector has seen a surge of cybersecurity attacks in recent months and years, including a high-profile event in Oldsmar, Fla., last year when a hacker gained control of a water utility’s operating systems (Energywire, Feb. 10, 2021).

That event and others have revealed vulnerabilities as threats continue to grow for a sprawling sector that oversees itself.

“We are behind other countries in setting cybersecurity requirements for the critical elements of infrastructure — the most significant water, power, pipelines [and] hospitals in the country — as well as the technology that crosses all of them,” Neuberger said.

Neuberger said it is important for Congress to make sure that EPA has the authority and resources to handle the issue.

“We need the Hill to ensure that those authorities are clear so that as threats continue to evolve … as [systems are] modernized, to ensure sensors are added to ensure cybersecurity is baked in,” she added.

When asked whether a rule is in the works, Tim Carroll, a spokesperson for EPA, said the agency is moving forward with a regulatory approach to improve cybersecurity at water systems that could affect safe drinking water, and that the agency has partnered with states to identify ways to help utilities.

The Biden administration has been pursuing various actions in order to beef up the sector’s cybersecurity practices, including releasing a voluntary 100-day action plan for facilities in January (Greenwire, Jan. 27).

“Recent events have highlighted the importance of this effort, and the agency is taking a multi-pronged approach in close partnership and coordination across the federal government and in collaboration with state agencies,” Carroll said.

Water facility treatment operators are generally not given cybersecurity training as part of their on-the-job training or certification requirements.

The White House didn’t immediately respond to questions about Neuberger’s comments.

Reporter Christian Vasquez contributed.