Following earlier executive orders aimed at shoring up other aspects of critical infrastructure, the White House has issued a 100-day cybersecurity plan for United States water utilities.
The Water Sector Action Plan will call on private operators to improve their cybersecurity monitoring technology, more rapidly share threat information with the government and contribute to the development of protocols for information sharing between organizations. The series of orders from the White House comes as a response to the ransomware rampage of 2021, which impacted the real-world delivery of goods in several cases.
Water utilities follow electric and oil in adopting stronger cybersecurity standards
The Biden administration had said that earlier executive orders directed at other types of utilities (the Industrial Control Systems Initiative) were part of an ongoing package that would eventually encompass all aspects of critical infrastructure, with a gradual roll-out that has now reached water utilities.
The orders lay out a mandatory cybersecurity plan aimed at keeping utilities from being breached. The phenomenon is not unique to water utilities, but private industry in the critical infrastructure sectors has long had issues with cybersecurity as government policy has largely been voluntary and companies have been given a great deal of room to self-regulate.
The cybersecurity plan involves the Environmental Protection Agency (EPA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Water Sector Coordinating Council (WSCC). It is also a mix of concrete requirements and suggestions for collaboration between the government and various water utilities, which vary greatly in size and the scope of communities that they serve.
Water utilities can expect to upgrade their cyber defense capabilities in the coming months, with a focus on technology that facilitates information sharing with the government and other related organizations. The government is remaining neutral on specific technologies and providers, but water utilities will be expected to meet certain security and monitoring standards laid out by the cybersecurity plan. EPA and CISA will also be operating a pilot program, which at this point is voluntary, for water utilities to develop monitoring and information sharing protocols.
The cybersecurity plan does note that the nation’s roughly 150,000 water utilities vary greatly in size, from those that serve small rural communities to the gigantic sophisticated systems employed by major metropolitan areas. The government will initially be focusing on the largest systems and those that have the “highest consequence” designation, but this process will establish standards and protocols that will then be passed on to the smaller systems. A task force overseeing this process will also be formed from water sector leaders.
Cybersecurity plan follows set of troubling breaches
The primary impetus for the Biden administration’s rapid movement in shoring up critical infrastructure is the attacks on Colonial Pipeline and JBS last year, each of which temporarily slowed shipments of an essential item. But water utilities became a priority item after two breaches in recent years in which hackers were able to directly access controls and attempt to poison the water supply, something that transcends a logistics difficulty to become a real-world attempt at terrorism.
In early 2021, a hacker breached Florida’s Oldsmar water treatment plant and attempted to increase the lye content (used as a cleaning agent) to an unsafe level. The attack was thwarted by an on-site employee who noticed unusual movement, but the attacker was able to enter fairly easily by using credentials for outdated remote access software that was supposed to have been retired. Shortly after that incident, a suspect was charged in a similar Kansas case from 2019 in which the cleaning and disinfection systems of a municipal water supply were also targeted. The Kansas suspect turned out to be a former employee of the plant, thought to be using remote access credentials that should have been disabled when he left his job.
The incidents demonstrated an immediate need for a modern cybersecurity plan for water utilities, facilities and services that have the potential to harm millions if compromised. Insiders and vulnerabilities in outdated software are serious threats, but far from the only ones; three additional water and wastewater plants in California, Nevada and Maine were hit by ransomware attacks in 2021.
There is a clear need to spur water utilities and other aspects of critical infrastructure to modernize their digital defenses, but there is some debate about whether the cybersecurity plan does enough. Matt Klein, Field CISO at Coalfire, points out that three months is a short time in which to expect to remediate an issue that has been neglected for so long: “There will be challenges given the distributed nature of our nations water systems but with continued and increased levels of collaboration across government and private sector partners, improvements with the resiliency can be made. 100 days is a relatively short amount of time, however, very clear tactical and strategic approaches to safeguarding water resources can be developed and communicated in this timeframe.”
As it sits it appears the 100-day plan will focus on the country’s largest and most vulnerable utilities, passing on the practices established there as directives for the smaller utilities to follow in the longer term. Mark Logan, Chief Executive Officer of LogRhythm, speculates about what that may eventually look like: “Over the past 20 years, industrial control systems have largely neglected operational technology and operational risk by air gapping data to compensate for deficiencies in network security and physically isolating platforms from unsecured networks. This means critical infrastructure operations are ripe with opportunities for bad actors to target and take down their systems … Any organization leveraging technology to enable operations for critical infrastructure needs to ensure proper protection protocols are established, ranging from simple password hygiene, threat detection, preventative controls and response controls to quickly thwart and identify potential catastrophes. Lagging detection and alerts can result in disaster if controls or data are obtained by domestic or foreign adversaries.”