The Environmental Protection Agency will require states to assess the cybersecurity practices of public water systems, marking the first new critical infrastructure initiative since the White House unveiled the Biden administration’s national cyber strategy Thursday.
As part of the EPA memorandum, states are to include cybersecurity as part of sanitary surveys, the periodic audits of water systems.
“Most critical infrastructure owners and operators have a list of safety regulations they have to comply with,” Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said during a Thursday teleconference with reporters. "We want to make sure we have similar requirements for cyber, particularly given that a cyberattack can cause as much, if not more, damage than a storm or physical threat.”
The U.S. has more than 100,000 public drinking water systems, Radhika Fox, assistant administrator for the EPA Office of Water, said during the call. Recent data shows a rising threat of cyberattacks by criminal actors and rogue nation states against drinking water facilities across the U.S.
“What we know is that cyberattacks that are targeting water systems pose a real and significant threat to our security,” Fox said during the teleconference. “Incidents of malicious cyberattacks on water systems have done things such as shut down critical treatment processes.”
In previous attacks, control system networks have been locked behind ransomware and disabled communications used to monitor and control distribution system infrastructure that is used for pumping stations, according to Fox.
Drinking water and wastewater have been a critical focus of federal officials for years. In one of the most notorious incidents in recent years, a hacker tried to poison a drinking water plant in Oldsmar, Florida, by taking remote control of the facility’s supervisory control and data acquisition systems. The plant had been operating on outdated Windows 7 software.
The FBI, EPA, NSA and the Cybersecurity and Infrastructure Security Agency issued a warning in 2021 about potential ransomware threats against water systems.
EPA officials cited an insider attack at a Kansas water treatment facility as one of the most egregious cases in recent years. In that case, a fired employee did not have his credentials revoked and was able to remotely take control of the operational technology systems at the facility and take the treatment process offline.
The EPA is providing technical assistance and other resources to states and local water utilities to help with implementing cybersecurity protections. The agency is also requesting public comments on the guidance until May 31.