In January, the United States Environmental Protection Agency announced a plan to fortify the nation’s water sector against cyberattacks.

With its short, 100-day timeline, the Industrial Control Systems Cybersecurity Initiative-Water and Wastewater Sector Action Plan contains a number of high-impact measures to protect assets. It’s part of President Biden’s Industrial Control Systems (ICS) Initiative to foster collaboration between the federal government and the critical infrastructure community.

The EPA’s Michael S. Regan explained:

As cyber-threats become more sophisticated, we need a more coordinated and modernized approach to protecting the water systems that support access to clean and safe water in America. EPA is committed to working with our federal partners and using our authorities to support the water sector in detecting, responding to, and recovering from cyber-incidents.

The plan was developed by the EPA in collaboration with the National Security Council, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Water Sector Coordinating Council (WSCC), and the Water Government Coordinating Council to help strengthen the country’s preparedness against cyberattacks on 150,000 public water systems that serve 300 million Americans.

The EPA and CISA will lead the initiative in cooperation with the WSCC to “provide owners and operators of water utilities a roadmap for high-impact actions they can take to improve the cybersecurity of their operations,” and encourage, incentivize, and help water sector stakeholders in the rapid deployment of ICS cybersecurity monitoring technologies.

One of the plan’s key goals is to create a task force of water sector leaders. The plan includes pilot incident-monitoring projects, enhancement of early warning systems for cyber-threats, technical support for water systems, and initiation of rapid cyber threat data-sharing protocols in government.

While the action plan currently focuses on larger utilities, it is intended to spur partnerships between government agencies to lay the groundwork for enhancement of ICS cybersecurity in water systems of all scales.

Threats to the Water Sector

Noting the Colonial Pipeline and JBS Foods incidents, along with other recent, high-profile cyberattacks, the plan reminds sector leaders that the federal government has limited power to set national cybersecurity rules for critical infrastructure.

The White House will ask Congress for more authority to mandate cybersecurity standards for the water sector later this year but expanding its authority may prove difficult. Information sharing about cyberattacks between the sector and government has historically been lacking, but the government hopes the plan will create a dialogue and break down some of the barriers to collaboration. While participation is voluntary, the White House fact sheet stresses that cooperation will be essential to successfully managing the risk.

The plan comes on the heels of an October joint advisory from the Cybersecurity and Infrastructure Agency and other federal security agencies, warning of ongoing malicious activities that target information and operational technology at U.S. water and wastewater sector facilities. Only months after the advisory, hackers accessed a Florida water treatment plant and attempted to poison drinking water with lye. Although the hack was quickly noticed and counteracted by a plant operator, the incident served as an important wake-up call.

Water is fundamental to life across the globe, as well as to the industries that keep the world running. Its security is of the utmost importance. At Fluence, our plants have built-in security settings to ensure that they are kept safe and operating as expected, and our remote monitoring application alerts the user of any concerns. To discuss your pressing water and wastewater questions, contact the experts at Fluence.