Biden administration launches initiative to protect U.S. water systems from cyberattacks
The Biden administration on Thursday will kick off an effort to protect the country’s water sector from cyberattacks, the latest attempt by the federal government to strengthen the digital defenses of the nation’s critical infrastructure.
The administration will formally extend President Joe Biden’s “Industrial Control Systems Cybersecurity Initiative” — which was established last year and already includes the country’s electric system and natural gas pipelines — to encourage owners and operators of water and wastewater systems to improve their capabilities for identifying cyber threats to their networks. The 100-day effort is also intended to promote information sharing about such threats with the government.
“There is absolutely inadequate cyber resilience across the water sector,” a senior Biden administration official told reporters on Wednesday. “The threshold of resilience is not what it needs to be to meet threats today.”
The expanded effort — led by the Environmental Protection Agency in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA) — comes after the federal government sounded the alarm last year about water and wastewater facilities coming under attack from ransomware.
Last October, the FBI, CISA, the EPA and the National Security Agency issued a joint cybersecurity advisory that highlighted incidents in five states where systems were targeted by either ransomware attacks or other hacks. The bulletin omitted a February 2021 attack at a water treatment facility in Florida where an intruder broke into the plant’s computer system and temporarily changed the site’s sodium hydroxide level — a switch that was reversed by an employee before it could reach a potentially dangerous amount.
The water sector consists of more than 150,000 public systems that serve roughly 300 million Americans. Water systems have become increasingly automated, with owners relying on process controls and electronic networks to monitor and operate virtually all aspects of their work, from intake and distribution to treatment.
All of those processes “could be vulnerable to a cyberattack,” warned a second administration official, who like the first was only authorized to speak anonymously.
The digital strikes on the Colonial Pipeline and meat-processing giant JBS Foods “have underscored that the federal government really needs to explore, in the very short term, innovative approaches and leverage the creativity of the public and private sectors to secure our critical infrastructure,” the second official added.
As part of the 100-day action plan — which will initially focus on water systems that serve the largest populations and therefore could suffer the greatest consequences from a cyberattack — the EPA will invite water utilities to voluntarily participate in a pilot program for industrial control system monitoring and information sharing to gather basic information, like the cost of employing such technologies, how they performed, and the number of man-hours required.
The second administration official said it is “yet to be determined” if the federal government would deploy the technology via the commercial sector or an existing federal program, like CISA’s CyberSentry program, which is focused on protecting critical infrastructure systems against hackers
The EPA will also engage water sector utilities that have already adopted digital threat monitoring technologies to discuss their experiences.
The agency will then compile the data from both tracks to create guidance and training for the rest of the vast sector.
Both administration officials noted that unlike the Transportation Security Administration, which possesses emergency authorities that allowed it to establish cybersecurity mandatory requirements late last year, the EPA lacks such powers.
However, the first official said the administration is working with Congress to provide the EPA with the new authorities this year that would allow it to set digital security thresholds, including cyber incident reporting.
The second official conceded the federal government currently has limited authorities to set cybersecurity baselines for critical infrastructure, noting there has been “reluctance” within the water sector to share information about potential threats.
Still, “our hope is that we will develop protocols for ICS cybersecurity monitoring, information sharing and analytical coordination between the US government and water utilities, and that will be a critical component of the ICS monitoring initiative,” the official told reporters.
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.