DHHS → MeCDC → Environmental and Community Health → Drinking Water → Public Water Systems → Cybersecurity and Resilience
Public Water System Cybersecurity and Resilience
Page Index
Regulatory History of Cybersecurity in the Maine Public Water Sector
For over a century, Maine PWS have taken steps to protect public water supplies from numerous risk factors. The vulnerabilities to drinking water systems have changed over time, partly due to advances in scientific understanding and technology. PWS in Maine, and across the nation, increasingly rely on digital technologies to automate and streamline operations. However, greater reliance on digital technologies means PWS are facing new challenges to their security and operations.
The US Environmental Protection Agency (EPA) warns that cyber-attacks against the water sector are increasing, and Maine is not immune to this evolving threat. On March 3, 2023, the US EPA released a memorandum (PDF) which described their interpretation of existing law to require states to evaluate cybersecurity of PWS. While the EPA has withdrawn the memorandum due to litigation, the EPA and the White House National Security Council have since released a joint letter (PDF) urging states to take action to “secure water systems against the increasing risks from and consequences of these attacks."
Based on these urgent communications from EPA and the National Security Council, the DWP believes that public water system adoption of cybersecurity best practices is critical to safeguarding drinking water supplies. In 2024, the DWP developed a Cybersecurity Plan in partnership with the Cybersecurity & Infrastructure Security Agency (CISA), the MaineIT Information Security Office, and the EPA.
DWP Cybersecurity Plan
The plan has three major goals:
- Increase PWS cyber resilience through cybersecurity assessments and adoption of cybersecurity best practices.
- Organize the DWP’s efforts to coordinate and offer resources to PWS to strengthen their cybersecurity resilience.
- Link PWS with cybersecurity experts. The DWP will monitor public water system progress to increase cyber resilience without receiving security-sensitive information.
The DWP Cybersecurity Plan includes the following elements to achieve its goals:
- Convene initial stakeholder meetings with CISA and other relevant stakeholders to focus and guide plan implementation.
- Kickoff the plan via a focused communication to every public water system in the state.
- Highlight the importance of cybersecurity and EPA’s position on the risks,
- Provide resources on cybersecurity best practices and funding opportunities, and
- Summarize the DWP’s plan.
- Maintain ongoing communications with PWS regarding new cybersecurity threats, funding opportunities, and best practices.
- Continue meeting with stakeholders as needed.
Enabling Legislation
Title IV of the Federal Public Health Security and Bioterrorism Response Act of 2002 (PDF), which amends the Safe Drinking Water Act, requires every PWS that serves more than 3,300 persons to complete a Vulnerability Assessment and develop or revise an Emergency Response Plan. The DWP interprets the regulatory requirements pertaining to Vulnerability Assessments and Emergency Response Plans to include cybersecurity.
For More Information
To learn more about cybersecurity, or how to add cybersecurity to your PWS’ Vulnerability Assessments and Emergency Response Plans, please contact Joshua Laufer, DWP Cybersecurity and Resilience Coordinator: Email or phone (207) 287-6518.
Additional Resources
Online
Documents
- Fact Sheet: Cyber Vulnerability Scanning for Water Utilities (PDF)
- Cybersecurity Awareness Month Newsletters (2024)
- Strong Passwords (PDF)
- Multi-Factor Authentication (PDF)
- Software Updates (PDF)
- Phishing (PDF)
- 12 Cybersecurity Fundamentals for Water and Wastewater Utilities (WaterISAC – PDF)
- Incident Response Guide – Water and Wastewater Sector (EPA – PDF)
- Incident Action Checklist – Cybersecurity (EPA – PDF)
- Top Cyber Actions for Securing Water Systems (CISA – PDF)
- State of Maine Cybersecurity Plan – Public Consumption (PDF)
Updated 10/24/2024