How the Biden administration plans to protect your water systems from hackers
The incident at the Tampa-area facility did no harm, but it did increase the focus of federal officials and the water industry on vulnerabilities in the sector.
“There is absolutely insufficient cyber resilience across the water sector” to criminal and state-sponsored hackers, a senior government told reporters while previewing the announcement.
The water security initiative will initially focus on defending the water systems that serve most people and then expand to smaller facilities, officials said.
The Environmental Protection Agency and the US Cybersecurity and Infrastructure Security Agency will invite water utilities on a pilot program to deploy more sophisticated defense tools on their systems, officials said. Data from the pilot program — and input from water utilities already using the technology — will be the basis for training and guidance that federal officials are providing to the sector.
The initiative follows similar “100-day plans” implemented by the Biden administration to increase cybersecurity in the power and natural gas sectors.
The Water Security Initiative is voluntary. While in other cases federal agencies can regulate pipelines and electric utilities, they have very limited authority to impose cybersecurity rules on water utilities.
It’s about a lot.
“Cyberattacks pose an increasing threat to water systems and therefore to the security of our communities,” EPA Administrator Michael S. Regan said in a statement.
The water sector, like other critical infrastructure, must contend with ransomware attacks and the potential for state-sponsored espionage. A ransomware incident at a Nevada water facility last March affected a computer system that gave plant workers visibility into the facility’s operations, according to a public recommendation from the FBI and other agencies.
Awareness of the threats and the coordination to deal with them have grown in recent years. The Water Information Sharing and Analysis Center works with several hundred utilities and other organizations in the US and elsewhere to disseminate cyber threat data shared by the US government.
But the resources were a big challenge.
In a 2020 survey, just 19% of water professionals were confident that fees and tariffs could cover existing services for their utilities, let alone the cost of upgrading their infrastructure.