EPA Leading White House Effort to Secure the Water Sector Against Cyberattacks

Vithun Khamsong/Getty Images

This is the third in a series of 100-day sprints to shore up industrial control systems used in critical infrastructure.

The Biden administration is extending an initiative to improve the cybersecurity of industrial control systems to the water sector. It will be executed by the Environmental Protection Agency in collaboration with the Cybersecurity and Infrastructure Security Agency and private-sector leaders.

“A cyberattack on a water system could be carried out to manipulate treatment processes to produce unsafe water, also to damage water system infrastructure or even to stop the flow of water to consumers,” senior administration officials said on a call with reporters Wednesday, announcing the expansion of the initiative.

Industrial control systems that manage physical processes at heavy-duty facilities have become increasingly digitized and vulnerable to malicious hackers as demonstrated by an attack last February on a water treatment plant in Oldsmar, Florida.

The industrial control system cybersecurity initiative started last April with 100-day stretches focused first on the electricity sector and then the pipeline sector. According to the officials, more than 150 electric utilities and “multiple critical natural gas pipelines have deployed, or are in the process of deploying, additional cybersecurity technologies” due to the initiative, which relies on voluntary participation by the private sector.

Over the next 100 days, the officials said the initiative will focus on the water sector, starting first with systems serving the high population areas that would suffer the largest consequences from a cyber attack.    

The two primary goals of the effort will be for operators to adapt technology to provide early detection of cybersecurity incidents and to facilitate the sharing of cyber-threat data with the government. The officials said the plan will assist participating operators with the installation of monitoring technology on their systems that would help to generate warnings about vulnerabilities, and corresponding remediations, across the country.

The officials suggested the plan would ideally leverage CISA’s CyberSentry offering to support a pilot the government will invite operators to participate in, but that “it is yet to be determined if the ICS cybersecurity monitoring would be provided by the deployment of commercial cybersecurity technology or through an existing federal program.” 

Other parts of the plan for the water sector include engaging water utilities that have already started using the monitoring technology, in order to gather information and ultimately compile guidance and training for the water sector.

The officials said that, unlike the pipeline sector which is subject to a mandatory cybersecurity directive issued by the Transportation Security Administration, the EPA has limited authorities to impose basic cybersecurity requirements on operators. 

The White House is working with the EPA on legislation it hopes to propose this year that would grant authorities similar to those held by TSA for regulating the water sector, the officials said.