White House, EPA release 100-day cybersecurity plan for water utility operators
The White House, Environmental Protection Agency (EPA) and Cybersecurity and Infrastructure Security Agency (CISA) are rolling out a 100-day plan to improve the cybersecurity of the country’s water systems, which faced a variety of attacks over the last year.
The “Industrial Control Systems Cybersecurity Initiative — Water and Wastewater Sector Action Plan” includes several measures that officials believe can be taken in the next few months to address cybersecurity gaps within the water utility industry.
The plan will create a task force of leaders in the water utility industry, kickstart incident monitoring pilot programs, improve information sharing and provide technical support to water systems in need of help.
EPA Administrator Michael Regan said cyberattacks represent an “increasing threat to water systems and thereby the safety and security of our communities.”
“As cyber-threats become more sophisticated, we need a more coordinated and modernized approach to protecting the water systems that support access to clean and safe water in America,” Regan said. “EPA is committed to working with our federal partners and using our authorities to support the water sector in detecting, responding to, and recovering from cyber-incidents.”
The White House said the plan will offer owners and operators with technology that will provide “near real-time situational awareness and warnings.” The Washington Post noted that over 150,000 water utilities are serving the US population.
“This sector is made up of thousands of systems that range in size from the very small to ones that service major metropolitan cities that have little or no cybersecurity expertise and are unsure what steps they should take to address cyber risks. EPA and CISA will work with appropriate private sector partners to develop protocols for sharing information,” the Biden Administration said.
“The government will not select, endorse, or recommend any specific technology or provider. The plan will initially focus on the utilities that serve the largest populations and have the highest consequence systems; however, it will lay the foundation for supporting enhanced ICS cybersecurity across water systems of all sizes.”
In October, CISA warned the US water and wastewater system operators about an array of cyber threats to disrupt their operations.
The notice listed several recent attacks since 2019, including one in August 2021 that involved the Ghost ransomware being deployed against a facility in California. Attackers spent a month inside the system before putting up a ransomware message on three supervisory control and data acquisition servers.
An attack in July 2021 saw the ZuCaNo ransomware used to damage a wastewater facility in Maine. In March 2021, a Nevada water treatment plant was hit with an unknown ransomware variant.
In September 2020, the Makop ransomware hit a New Jersey facility, and another attack in March 2019 involved an attempt to threaten the drinking water of a town in Kansas. There was also a headline-grabbing attack in February 2021 where an unidentified hacker accessed the computer systems of a water treatment facility in the city of Oldsmar, Florida and modified chemical levels to dangerous parameters.
Recent reports indicate that 1 in 10 waste or wastewater plants has a critical security vulnerability.
“Over the past year, we’ve seen cyber threats affecting the critical infrastructure that underpins our communities and the services we all rely on, including safe and clean water,” CISA Director Jen Easterly said.
“To reduce the likelihood and impact of damaging cybersecurity intrusions to the water sector, we’re teaming up with our EPA partners to provide guidance, technology, and direct support to the sector. The action plan announced today will help us better understand and reduce the risks across the water and wastewater sector both in the near and long term, and keep the American people safe.”
The White House noted in its statement that the recent attacks on Colonial Pipeline and food processor JBS “are an important reminder that the federal government has limited authorities to set cybersecurity baselines for critical infrastructure and managing this risk requires partnership with the private sector and municipal owners and operators of that infrastructure.”
The EPA developed the water plan, National Security Council, CISA and the Water Sector Coordinating Council and Water Government Coordinating Council.
National Cyber Director Chris Inglis explained that the plan will provide owners and operators of water utilities with a roadmap for high-impact actions to improve their operations’ cybersecurity.
The 100-day plan is part of President Joe Biden’s Industrial Control Systems (ICS) Initiative that aims to help critical infrastructure organizations with tools that provide greater visibility, indicators, detections, and warnings about cyber threats.
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said the action plans that were created for electric grids and pipeline operators “have already resulted in over 150 electricity utilities serving over 90 million residential customers and multiple critical natural gas pipelines deploying additional cybersecurity technologies.”
“This plan will build on this work and is another example of our focus and determination to use every tool at our disposal to modernize the nation’s cyber defenses, in partnership with private sector owners and operators of critical infrastructure,” Neuberger said.
Secretary of Homeland Security Alejandro Mayorkas added that “American lives depend on protecting the Nation’s critical infrastructure from evolving cybersecurity threats.”
Responses to the 100-day plan among ICS cybersecurity experts was mixed. Mark Carrigan, cyber VP of process safety and OT cybersecurity at Hexagon PPM, told ZDNet that the measures outlined “will not be nearly sufficient to reduce the risk to an acceptable level.”
The state of detection technology today is not “fool-proof,” according to Carrigan, who noted that many infiltrations and subsequent attacks start with exploiting zero-day vulnerabilities that are not recognized until after the fact.
“It’s like closing the barn door after the cows have gotten out. It is time for critical infrastructure to increase investments to improve operational resiliency so that we can respond to an attack, minimize the impact, and restore operations within an acceptable period of time,” Carrigan said.
“We must accept the fact that we cannot prevent all cyber-attacks due to the nature of the control systems that deliver critical services. We must improve our ability to respond and recover.”