The Biden administration announced Thursday it is extending a voluntary cybersecurity initiative for essential control systems in the electricity sector and pipelines to facilities that supply water across the U.S.
Under the initiative, the administration is pushing participating water sector facilities to adopt detection technologies that would monitor cyber threats to industrial control systems (ICS), which automate processes such as the treatment, storage and distribution of water. It’s also urging them to more rapidly share threat data with the U.S. government. The 100-day plan will first aim to bring in larger facilities.
The water sector, which includes what a senior administration official estimated at over 150,000 facilities that provide water to approximately 300 million Americans, has long been considered one of the most vulnerable in the U.S. to cyberattacks. A hack last February on a facility in Florida temporarily altered the plant’s sodium hydroxide setting to a level harmful to humans, serving as a reminder of the potential danger should a more advanced group seek to cause more damage.
“There is absolutely inadequate cyber resilience across the water sector,” a senior administration official said on a Wednesday call. “There’s inadequate cyber resilience to even a criminal actor. I think you saw the incident that occurred in Tampa last year, which was a criminal actor.”
Under the President’s Industrial Control System Cybersecurity Initiative created last year, the White House has enlisted more than 150 electricity utilities serving almost 90 million residential customers to deploy advanced ICS security tech.
The initiative demonstrates the patchwork nature of the executive branch’s regulatory authority. The Transportation Security Administration, for instance, mandated top pipeline operators to take multiple steps to improve security last year in the aftermath of the Colonial Pipeline attack.
The Environmental Protection Agency — which has lead responsibility for reducing risk to the water sector — has no similar authority, however, to compel water facilities to act. A senior official said that the administration hopes to address a legislative proposal this year to change that.
Voluntary cybersecurity information sharing from industry to the federal government has long been a challenge as well. A senior administration official acknowledged the “reluctance” from the water sector to share threat data, like other critical infrastructure sectors. The official said that the Joint Cyber Defense Collaborative housed at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is developing information-sharing protocols that the initiative could lean on to improve that.