Update on EPA Requirement to Address Cybersecurity in Sanitary Surveys

In our April 2023 Aqua Talk article, we reviewed highlights from the March 3, 2023 US EPA Office of Water memorandum, “Addressing PWS Cybersecurity in Sanitary Surveys or an Alternate Process” issued to all State Drinking Water Administrators requiring cybersecurity evaluations during each sanitary survey. Sanitary surveys are “an onsite review of the water source, facilities, equipment, operation, and maintenance of a PWS for the purpose of evaluating the adequacy of such source, facilities, equipment, operation, and maintenance for producing and distributing safe drinking water.” In Colorado, CDPHE conducts sanitary surveys of all public water systems (PWS) every 3 years for community systems and every 5 years for non-community systems. 

What happened since the Memo was issued by EPA?  

In April 2023, the States of Missouri, Arkansas, and Iowa filed a petition with the US Court of Appeals for the Eighth Circuit against the EPA legally challenging the EPA Cybersecurity Rule. In July 2023, the U.S. Court of Appeals granted a motion for stay requested by the American Water Works Association (AWWA) and the National Rural Water Association (NRWA) to stop the U.S. Environmental Protection Agency’s Cybersecurity Rule from going into effect until the current case filed by Missouri, Arkansas and Iowa, challenging the rule has been decided. Basically, the EPA cybersecurity memo requirements are on hold until the petition has been decided. However, EPA is continuing their assistance, training and cybersecurity assessment services as described below, which is great!

What does this mean for my water system?  

Colorado will not be including cybersecurity as part of the sanitary survey process in the upcoming inspection year. However, cyber threats are a continuing concern and Colorado water systems have been attacked by cyber criminals. CDPHE strongly encourages all PWSs with industrial control system capabilities to assess their cybersecurity programs with an established method if they have not already done so. EPA is still available to conduct assessments and PWSs can request information about their evaluation services here. CISA also has cybersecurity evaluation services available and more information can be found here.

Public Water Systems should implement measures recommended from any cybersecurity assessment to ensure continued production and distribution of safe drinking water. 

Additional resources can be found: 

• EPA water sector Cybersecurity website
• EPA’s Water Security Assessment Tool
• EPA's Water Sector Cybersecurity Evaluation Program where PWSs can coordinate with EPA on cyber security assessments 
• EPA’s cybersecurity training schedule
• CDPHE’s Water Security Toolbox
• CISA Cyber Threats to W/WW website
• CISA Free Cyber Hygiene Services (including assessments and evaluations) 
• DHSEM Cyber Services Roadmap

For more cybersecurity training resources, please contact Kyra Gregory at kyra.gregory@state.co.us.

➽ Heather Young, PE, CWP, Field Services Section Manager

➽ Cameron Wilkins, PE, Field Unit II Manager