White House, EPA expand cybersecurity initiative to vulnerable water sector

An industrial control system cybersecurity initiative established by the Biden administration for the electric and pipeline industries will be expanded to include critical infrastructure entities in the water and wastewater sectors.

The initiative, which will be managed by the Environmental Protection Agency, will take place over the next 100 days and includes a series of actions that are designed to improve the coordination between industry and the federal government, deploy new technologies to help protect industrial control systems and improve information sharing channels.

As part of a plan developed jointly by the EPA, Cybersecurity and Infrastructure Security Agency, the National Security Council and two water sector coordinating councils, the government will provide enhanced technical support to establish a new task force of leaders in the water sector, road test new pilots to push for the adoption of incident monitoring technologies and work to improve information sharing and data analysis around cyber threats.

“The action plans for the electric grid and pipelines have already resulted in over 150 electricity utilities serving over 90 million residential customers and multiple critical natural gas pipelines deploying additional cybersecurity technologies,” Anne Neuberger, deputy national security advisor for cyber and emerging threats at the National Security Council, said in a statement. “This plan will build on this work and is another example of our focus and determination to use every tool at our disposal to modernize the nation’s cyber defenses, in partnership with private sector owners and operators of critical infrastructure.”

Many of the actions would be voluntary, and the White House referenced past incidents like the Colonial Pipeline and JBS ransomware attacks highlight the government’s “limited authorities to set cybersecurity baselines for critical infrastructure and managing this risk requires partnership with the private sector and municipal owners and operators.”

Water industry vulnerable to cyberattacks

The water industry is made up of thousands of different systems, many of which face strapped budgets and have little in the way of cybersecurity expertise. As part of its cybersecurity mission, CISA has been offering vulnerability scans and technical assessments for critical infrastructure entities, but do not have nearly the resources or personnel to cover everyone.

The American Water Works Association has called cybersecurity “the top threat facing businesses and critical infrastructure” in the water sector and stressed that the diverse nature of the water and wastewater sector, with organizations of varying size and ownership, a fractured splintered regulatory landscape, and a lack of cybersecurity governance protocols “present significant cybersecurity challenges.”

Like many critical infrastructure sectors, water entities “often face insufficient financial, human and technological resources” with many organizations dealing with “limited budgets, aging computer systems, and personnel who may lack the knowledge and experience for building robust cybersecurity defenses and responding effectively to cyber attacks.”

Officials are also highly concerned about a number of incidents, including an incident last year when an unidentified hacker gained access to a water treatment plant in Oldsmar, Florida, and attempted to increase the levels of lye in the local water supply by more than 100 times, something that could have poisoned thousands of residents. Officials at the plant say they witnessed the attack and reduced the levels back to normal immediately.

It’s far from the only example. Last year, a CISA alert highlighted at least five such incidents over the past three years, many of them ransomware related.

In July 2021, malicious hackers hit an unnamed California water facility with Ghost ransomware and the malware eventually infecting SCADA systems. A month before that, another actor exploited remote access to infect a Maine water facility with ZuCaNo ransomware, forcing the operators to manually run their water treatment system until they could restore from backups. Similar ransomware infections happened in March 2021 and September 2020 for water facilities in Nevada and New Jersey, while a former employee at a Kansas water facility was caught attempting to use his still active user credentials to remotely access a computer at the facility.