On Thursday 27th of January, the Biden-Harris Administration announced it will extend the Industrial Control Systems (ICS) Cybersecurity Initiative to the water sector. The Water Sector Action plan outlines surge actions that will take place over the next 100 days to improve the cybersecurity of the sector. The action plan was developed in close partnership with the Environmental Protection Agency (EPA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Water Sector Coordinating Council (WSCC).
“The incidents at Colonial Pipeline, JBS Foods, and other high-profile critical infrastructure providers are an important reminder that the federal government has limited authorities to set cybersecurity baselines for critical infrastructure and managing this risk requires partnership with the private sector and municipal owners and operators of that infrastructure,” the announcement stated.
“The Administration has already established ICS initiatives for the electric and natural gas pipeline subsectors, and today over 150 electricity utilities serving over 90 million residential customers and multiple critical natural gas pipelines have deployed or are in the process of deploying additional cybersecurity technologies.
The Water Sector Action Plan is a collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technologies and systems that provide cyber-related threat visibility, indicators, detections, and warnings.”
Commenting on the news, Nozomi Networks’ Security Analyst Chris Grove stated:
“We’re seeing a constant drumbeat of US government efforts to collaborate with private sector to establish programs, policies and standards intended to strengthen critical infrastructure cybersecurity. But it takes more than a mandate or directive to bring about meaningful change.
“In this case, the vast diversity of water systems in the United States makes this effort even more challenging. The Federal government is limited in what it can regulate when it comes to water systems running under local government controls. And one could argue the biggest barrier to stronger cybersecurity is funding.
“In addition to the obvious funding questions, the water sector is in a unique predicament which has yet to be addressed. Most other sectors are for-profit entities or have access to budget. “However, the water/wastewater sector is reliant on taxpayers, in many cases. Because of this, in addition to adding new hurdles for operators to clear, there’s a critical need for public outreach and public education on the importance of investing in more secure water systems, and the high cost of inaction.
‘In some cases, cities are having to choose between funding police body cams, a new park, updating the fire department or cybersecurity for the water department. Without awareness of the issues solved by funding cybersecurity projects, it’s tough for defenders to leverage resources, even when available. Someone can offer free hardware and technology, but if no one is able to deploy, maintain, or monitor it, it doesn’t really help the defenders. Investing in public education and an effort to garner community support will play an important part in gaining the necessary resources required to achieve success, thus benefitting the Administrations cybersecurity initiatives.”