CISA, EPA Issue 100-Day Cyber Plan for Water UtilitiesAgencies to Create Task Force, Enhance Information Sharing, Provide Technical Support
The U.S. Cybersecurity and Infrastructure Security Agency and the Environmental Protection Agency today announced an Industrial Control Systems Cybersecurity Initiative for water and wastewater systems. Federal officials say their 100-day plan "focuses on high-impact activities that can be surged to safeguard water resources by improving cybersecurity across the sector."
The new plan, officials say, focuses on strategies for early detection of cyberthreats and enables rapid sharing of data across the government to expedite analysis and action. The plan includes:
- Establishing a task force of water sector leaders;
- Implementing pilot projects to demonstrate and accelerate adoption of incident monitoring;
- Improving information sharing and data analysis;
- Providing technical support to water systems.
A White House fact sheet on the plan states that ransomware incidents such as Colonial Pipeline and JBS Foods, which struck in 2021, "are an important reminder that the federal government has limited authorities to set cybersecurity baselines for critical infrastructure, and managing this risk requires partnership with the private sector and municipal owners and operators of that infrastructure."
The sector risk management agencies say their plan will initially focus on the utilities that serve the largest populations and have the "highest-consequence systems." But the plan will ultimately aim to enhance security across all systems, they add.
White House officials call the move a "top economic and national security priority."
'Safety and Security of Our Communities'
The new plan extends President Joe Biden's Industrial Control Systems Initiative, a collaborative effort between the federal government and critical infrastructure providers to deploy technologies that enhance threat visibility, indicators and detection. It was established via a national security memorandum in 2021.
Goals from the new action plan were developed by the EPA, the National Security Council, CISA - which falls beneath the Department of Homeland Security, and the Water Sector Coordinating Council and Water Government Coordinating Council.
"Cyberattacks represent an increasing threat to water systems and thereby the safety and security of our communities," EPA Administrator Michael S. Regan says in a statement. "As cyberthreats become more sophisticated, we need a more coordinated and modernized approach to protecting the water systems that support access to clean and safe water in America. EPA is committed to working with our federal partners and using our authorities to support the water sector in detecting, responding to and recovering from cyber incidents."
"Over the past year, we've seen cyberthreats affecting the critical infrastructure that underpins our communities and the services we all rely on, including safe and clean water," says CISA Director Jen Easterly. "To reduce the likelihood and impact of damaging cybersecurity intrusions to the water sector, we're teaming up with our EPA partners to provide guidance, technology, and direct support to the sector. The action plan announced today will help us better understand and reduce the risks across the water and wastewater sector both in the near and long term, and keep the American people safe."
Cyber Leaders Discuss
Other top cybersecurity leaders endorsed the new water systems plan on Thursday.
"Public-private sector collaboration like this initiative is central to protecting the American public and their ability to safely access critical services," says DHS Secretary Alejandro Mayorkas.
Anne Neuberger, the deputy national security adviser for cyber and emerging technology, says: "In the past year, the administration has worked closely across the U.S. government and [with] critical infrastructure partners to ensure they have our full support in shoring up their cyber defenses. … This plan is another example of our focus and determination to use every tool at our disposal to modernize the nation's cyber defenses."
And National Cyber Director Chris Inglis says: "The water sector action plan will provide owners and operators of water utilities a road map for high-impact actions they can take to improve the cybersecurity of their operations. I commend the Water Sector Coordinating Council and their federal partners for their continuing efforts to improve the present and future resilience of water utilities on which each American depends."
Other experts agree that the plan is beneficial, though the deadline could be a hurdle.
"There will be challenges, given the distributed nature of our nation's water systems, but with continued and increased levels of collaboration across government and private sector partners, improvements with resiliency can be made," says Matt Klein, field CISO for the advisory firm Coalfire. "One hundred days is a relatively short amount of time, however, very clear tactical and strategic approaches to safeguarding water resources can be developed and communicated in this time frame."
Still, not all security experts are convinced.
This move from the administration is simply a "good first step," says Mark Carrigan, cyber vice president of process safety and OT cybersecurity at the firm Hexagon PPM.
"These measures will not be nearly sufficient to reduce the risk to an acceptable level," Carrigan says. "The state of detection technology today is not foolproof. Many infiltrations and subsequent attacks start with exploiting zero-day vulnerabilities that are not recognized until after the fact. It's like closing the barn door after the cows have gotten out." He calls for continued efforts to build operational resiliency.
In their messaging on Thursday, White House officials also cite other whole-of-government efforts to improve critical infrastructure security, including initiatives for the electric and natural gas pipeline subsectors. Officials say they have received initial commitments from more than 150 electric utilities, serving more than 90 million Americans, along with multiple gas pipelines, to deploy additional cybersecurity controls.
The administration also points to its increasingly targeted campaign against ransomware infrastructure, the president's May 2021 executive order mandating sweeping IT modernization efforts across the federal enterprise, and several sector-based White House summits to enhance collaboration. Recently, that included a meeting with private sector stakeholders to discuss open-source software security (see: White House Hosts Open-Source Security Summit With Big Tech).
Also of utmost concern for the administration: nation-state threats from Russia and China. Officials again said on Thursday that they have "imposed costs" on Russia for the SolarWinds software supply chain attack and continue to attribute "malicious cyber activity to the People's Republic of China."
"[We] have made it clear to nation-states and malicious actors that we will continue to use every tool available to us to protect the American people and American interests against cyberthreats," officials said.