Maine.gov

Division of Environmental and Community Health

Maine Center for Disease Control & Prevention

A Division of the Maine Department of Health and Human Services

DHHSMeCDCEnvironmental and Community HealthDrinking WaterPublic Water SystemsCybersecurity and Resilience

Public Water System Cybersecurity and Resilience


 

Page Index

Regulatory History

DWP Cybersecurity Plan

Enabling Legislation

For More Information

Additional Resources


wellhead

Cyber-attacks against public water systems (PWS) are increasing. In response, the Maine CDC Drinking Water Program (DWP) is working with cybersecurity subject matter experts to support Maine PWS in mitigating cybersecurity risks. As noted below, the DWP intends to launch their Cybersecurity Plan for PWS in 2024.

Definition

A cyber-attack is a malicious and deliberate effort by an individual or organization to breach the information system of another individual or organization through the use of computer networks. These attacks can compromise PWS operations, the confidentiality, integrity, or availability of its digital content, and the stability of the network infrastructure itself.

 

Regulatory History of Cybersecurity in the Maine Public Water Sector

For over a century, Maine PWS have taken steps to protect public water supplies from numerous risk factors. The vulnerabilities to drinking water systems have changed over time, partly due to advances in scientific understanding and technology. PWS in Maine, and across the nation, increasingly rely on digital technologies to automate and streamline operations. However, greater reliance on digital technologies means PWS are facing new challenges to their security and operations.

The US Environmental Protection Agency (EPA) warns that cyber-attacks against the water sector are increasing, and Maine is not immune to this evolving threat. On March 3, 2023, the US EPA released a memorandum (PDF) which described their interpretation of existing law to require states to evaluate cybersecurity of PWS. While the EPA has withdrawn the memorandum due to litigation, the EPA and the White House National Security Council have since released a joint letter (PDF) urging states to take action to “secure water systems against the increasing risks from and consequences of these attacks."

Based on these urgent communications from EPA and the National Security Council, the DWP believes that public water system adoption of cybersecurity best practices is critical to safeguarding drinking water supplies. In 2024, the DWP developed a Cybersecurity Plan in partnership with the Cybersecurity & Infrastructure Security Agency (CISA), the MaineIT Information Security Office, and the EPA.

 

DWP Cybersecurity Plan

The plan has three major goals:

  1. Increase PWS cyber resilience through cybersecurity assessments and adoption of cybersecurity best practices.
  2. Organize the DWP’s efforts to coordinate and offer resources to PWS to strengthen their cybersecurity resilience.
  3. Link PWS with cybersecurity experts. The DWP will monitor public water system progress to increase cyber resilience without receiving security-sensitive information.

The DWP Cybersecurity Plan includes the following elements to achieve its goals:

  1. Convene initial stakeholder meetings with CISA and other relevant stakeholders to focus and guide plan implementation.
  2. Kickoff the plan via a focused communication to every public water system in the state.
    • Highlight the importance of cybersecurity and EPA’s position on the risks,
    • Provide resources on cybersecurity best practices and funding opportunities, and
    • Summarize the DWP’s plan.
  3. Maintain ongoing communications with PWS regarding new cybersecurity threats, funding opportunities, and best practices.
  4. Continue meeting with stakeholders as needed.
 

Enabling Legislation

Title IV of the Federal Public Health Security and Bioterrorism Response Act of 2002 (PDF), which amends the Safe Drinking Water Act, requires every PWS that serves more than 3,300 persons to complete a Vulnerability Assessment and develop or revise an Emergency Response Plan. The DWP interprets the regulatory requirements pertaining to Vulnerability Assessments and Emergency Response Plans to include cybersecurity.

 

For More Information

To learn more about cybersecurity, or how to add cybersecurity to your PWS’ Vulnerability Assessments and Emergency Response Plans, please contact Joshua Laufer, DWP Cybersecurity and Resilience Coordinator: Email or phone (207) 287-6518.

 

Additional Resources

Online

Documents



Updated 10/24/2024