In an important development for the future of cybersecurity in the water sector, the U.S. Environmental Protection Agency (EPA) has indicated it will pursue a voluntary partnership model ? rather than a regulatory approach ? to manage cybersecurity risks at water utilities.
In communicating its decision to the White House this week, Peter Grevatt, EPA?s director of the Office of Ground Water and Drinking Water, said ?if the voluntary partnership model is not successful in achieving widespread implementation of the [National Institute of Standards and Technology] Cybersecurity Framework or if warranted by a changing cybersecurity risk profile, the EPA can revisit the option of using general statutory authority to regulate cybersecurity in the Water and Wastewater Systems sector.?
Earlier this year, the American Water Works Association (AWWA) issued?guidance and a supporting tool?to provide utilities with more actionable information on cybersecurity. These resources are directly cited in the EPA letter among ?notable activities? to reduce cybersecurity risks.
AWWA encourages all water utilities to take advantage of these resources; they represent a voluntary sector-specific approach for adopting the NIST Cybersecurity Framework.
A summary of the guidance is available here:
http://www.awwa.org/resources-tools/water-utility-management/cybersecurity-guidance.aspx