The Biden administration on Thursday announced a new plan to secure U.S. water systems from cyberattacks, part of a broader effort to defend elements of domestic critical infrastructure from digital threats.
The White House and Environmental Protection Agency (EPA) announced a new “action plan” for the water sector that aims to encourage water utilities to adopt technology that helps detect cyber threats to industrial control systems, or ICS, early on. The administration intends to implement the plan over 100 days, according to the White House.
The administration is also trying to boost information sharing about cyber threats between owners and operators of water utilities and the federal government.
The Biden administration is working to boost the cybersecurity of systems used to operate critical infrastructure, particularly in the wake of high-profile cyberattacks like the ransomware attacks targeting Colonial Pipeline and meat processor JBS last year. The administration has announced similar plans to secure the electric sector and natural gas pipelines.
“Our efforts to secure critical infrastructure highlight the fact that cybersecurity is a top economic and national security priority for the Biden administration,” a senior administration official told reporters on a call previewing Thursday’s announcement.
The official said the attacks on Colonial Pipeline and JBS laid bare the limits of the federal government’s authority to set cybersecurity baselines.
As part of the new plan for the water sector, the EPA and the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security are setting up a pilot program that water utilities can participate in for ICS monitoring, as well as engaging with utilities that have already adopted ICS monitoring.
The Biden administration eventually plans to produce guidance for the water sector on ICS cybersecurity, a second senior administration official said.
It’s unclear how impactful the new plan will be, given that the utilities’ participation in the pilot program, adoption of ICS monitoring tools, and information sharing with the federal government are all voluntary.
Last year, the Biden administration mandated that U.S. pipeline operators report cyberattacks to the federal government under a directive of the Transportation Security Administration (TSA).
Asked why the administration is not mandating such activities for the water sector, the first senior administration official said that the EPA “has far more limited authorities for the water sector” when compared to TSA.
The official also signaled the White House intends to propose legislation this year that would boost the EPA’s authority so that it could mandate similar cybersecurity actions for the water sector, without offering further details.
