The Biden administration will help deliver cyber defense technologies and threat intelligence to US water utilities to try to bolster security for a sector that is often short of cash and personnel to deal with hacking threats, officials announced Thursday.
The “100-day” plan to increase cybersecurity resources for some of America’s 150,000 public water systems comes a year after a hacker breached a Florida water treatment facility and temporarily changed the plant’s chemical setting to a potentially dangerous level.
The incident at the Tampa-area facility did not cause any harm, but it spurred a heightened focus on the sector’s vulnerabilities among federal officials and the water industry.
“There is absolutely inadequate cyber resilience across the water sector” to criminal and state-sponsored hackers, a senior administration told reporters in previewing the announcement.
The water security initiative will first focus on defenses at the water systems that serve the most people and then expand to smaller facilities, officials said.
The Environmental Protection Agency and US Cybersecurity and Infrastructure Security Agency will invite water utilities to a pilot program to deploy more sophisticated defensive tools on their systems, officials said. Data from the pilot program – and input from water utilities already using such technology – will be the basis of training and guidance that federal officials provide the sector.
The initiative follows similar “100-day plans” that the Biden administration has done to boost cybersecurity in the electricity and natural gas sectors.
The water security initiative is voluntary. Whereas, in other cases, federal agencies can regulate pipelines and electric utilities, they have very limited authority to impose cybersecurity rules on water utilities.
The stakes are high.
“Cyberattacks represent an increasing threat to water systems and thereby the safety and security of our communities,” EPA Administrator Michael S. Regan said in a statement.
The water sector, like other critical infrastructure, has to contend with ransomware attacks and the potential for state-sponsored espionage. A ransomware incident at a Nevada water facility last March affected a computer system that gave plant employees visibility over the facility’s operations, according to a public advisory from the FBI and other agencies.
Awareness of the threats, and coordination to address it, have grown in recent years. The Water Information Sharing and Analysis Center works with several hundred utilities and other organization across in the US and elsewhere to disseminate cyberthreat data shared by the US government.
But resources have been a stark challenge.
In a 2020 survey, just 19% of water professionals were confident that fees and rates could cover existing services for their utilities, let alone the cost of upgrading their infrastructure.