Utilities reviewing proposal to help trace hacks and share data with authorities
The White House previously said it would expand the program to water utilities this year to prevent hackers from breaking into increasingly digital control systems of industrial firms.
Kevin Morley, federal relations manager for the American Water Works Association, said water-sector trade groups are evaluating the draft blueprint and potential technology needs to see how US officials will support the effort and what types of data the government wants.
“It gives visibility to our federal partners,” said Mr. Morley. “But how is that information shared for the pure good of the sector, or other sectors for that matter?”
The White House launched its Industrial Control Systems Cybersecurity Initiative during a 100-day “sprint” in April to enhance the security of electric utilities. The program was expanded in August to include natural gas pipelines. Adding the water sector to the program will mark the latest effort to harden private or publicly operated infrastructure that has historically operated with few cyber regulations.
Safety experts say the water supply must be rescued urgently due to the growing threats to the region and the dated technology of some utilities. In February, a hacker accessed an Oldsmar, Fla., water utility control system and attempted to increase the amount of lye used to treat the water to potentially dangerous levels. US officials in October warned of “ongoing malicious cyber activity” against water utilities, citing three ransomware attacks this year.
An EPA spokesperson said that as part of the White House plan, the Environmental Protection Agency, which oversees water utilities’ cyber security, will work with the Cyber Security and Infrastructure Security Agency to help utilities watch for such attacks. to help improve its capability.
“The draft plan outlines roles and responsibilities that leverage the expertise and resources of EPA, CISA and water sector partners,” he said in a statement.
The White House’s National Security Council prepared the draft plan on November 10, said Michael Arsinaux, managing director of WaterISAC, a nonprofit that shares information about security threats within waters.
“As the initiative gains traction among water and wastewater utilities, sector associations will work to help our members make informed choices about the sharing options available to them,” he said.
A National Security Council spokeswoman said the Biden administration hopes to expand its work in the water sector soon, but declined to comment on when it wants to launch the initiative. CISA declined to comment.
Administration reforms US cyber policy after federal agencies breach via compromised SolarWinds Corporation
Last year a series of software and ransomware attacks disrupted a major fuel pipeline company this spring. As well as unveiling first-of-its-kind regulations for the pipeline and rail sectors, US officials are prompting companies to participate in voluntary partnerships such as the Industrial Control Systems Cyber Security Initiative.
Implementing such programs could be challenging for the water sector, said Robert Powelson, president of the National Association of Water Companies, a trade group representing investor-owned utilities. More than 50,000 entities maintain the US water supply, he said, while security experts have criticized the EPA for its lack of cyber staff and expertise to oversee such a fractured area.
The EPA, which has no binding cybersecurity standards for water providers, has said it has the tools it needs to help utilities defend themselves.
Ultimately, the water sector does not need regulations administered by the EPA, but through a model similar to the electric sector, said Mr. Powelson, a former commissioner of the Federal Energy Regulatory Commission, which regulates the interstate transmission of electricity.
“For the people in us” [water] The area says, ‘we should have voluntary standards’, which to me is hogwash,” he said.
write to David Uberti [email protected] . Feather