White House prepares plan to strengthen cybersecurity of water supply


The Biden administration is preparing a proposal to strengthen the cybersecurity of the United States’ water supply, a system maintained by thousands of organizations with vulnerabilities that are sometimes glaring for hackers.

The plan expands a White House initiative to persuade leading industrial companies to upgrade cyber attack detection technology. U.S. officials hope water utilities will voluntarily analyze and report this data to help authorities monitor threats to different types of critical infrastructure.

The White House has previously said it will expand the program to include water utilities this year as part of a campaign to stop hackers from breaking into the increasingly digitized control systems of industrial companies.

Water sector business groups are assessing the draft master plan and potential technology needs, how U.S. officials would support the effort and what types of data the government wants, said Kevin Morley, head of federal relations. for the American Water Works Association.

“It gives visibility to our federal partners,” said Mr. Morley. “But how is this information shared for the net good of the industry, or other industries, for that matter? “

The White House launched its industrial control systems cybersecurity initiative in April during a 100-day “sprint” to strengthen the security of electric utilities. The program was expanded in August to include gas pipelines. The addition of the water sector to the program would mark the latest attempt to strengthen private or public infrastructure that has historically operated with little cyber regulation.

Security experts say defending the water supply should become urgent due to growing threats to the industry and outdated technology in some utilities. In February, a hacker entered the control system of a water utility in Oldsmar, Florida, and attempted to increase the amount of laundry used to treat the water to a potentially dangerous level. In October, US officials warned of “ongoing malicious cyber activity” against water utilities, citing three ransomware attacks this year.

As part of the White House plan, the Environmental Protection Agency, which oversees the cybersecurity of water utilities, will work with the Cybersecurity and Infrastructure Security Agency to help utilities improve their ability to detect such attacks, has said an EPA spokesperson.

Pinellas County Sheriff Bob Gualtieri, right, at a press conference in February after a hacker gained access to the control system at a water utility in Oldsmar, Fla.



“The draft plan outlines roles and responsibilities that draw on the expertise and resources of EPA, CISA and water sector partners,” he said in a statement.

The White House National Security Council launched the draft plan on November 10, said Michael Arceneaux, chief executive of WaterISAC, a non-profit organization that shares information on security threats in the water industry. ‘water.

“Assuming the initiative gains traction among water and sanitation utilities, industry associations will strive to help our members make informed choices about the sharing options available to them.” , did he declare.

A National Security Council spokeswoman said the Biden administration hoped to expand its work into the water sector soon, but declined to comment when it intended to launch the initiative. CISA declined to comment.

More from WSJ Pro Cybersecurity

Administration Reorganized U.S. Cyber ​​Policy After Federal Agencies Breached By Compromised SolarWinds Corp.

software last year and a series of ransomware attacks disrupted a major fuel pipeline company this spring. In addition to unveiling groundbreaking regulations for the pipeline and rail industries, U.S. officials have pushed companies to participate in voluntary partnerships such as the Industrial Control Systems Cyber ​​Security Initiative.

Implementing such programs could be difficult for the water sector, said Robert Powelson, president of the National Association of Water Companies, a trade group representing investor-owned utilities. More than 50,000 entities supply the United States with water, he said, while security experts criticized the EPA for its lack of cyber staff and expertise to oversee such a sector. fragmented.

The EPA, which does not have binding cybersecurity standards for water providers, said it has the tools to help utilities defend themselves.

Ultimately, the water sector needs regulations administered not by the EPA, but through a model similar to the electricity sector, said Powelson, a former commissioner of the Federal Energy Regulatory Commission, which regulates the transmission of electricity between states.

“For the people of our [water] sector to say, “We should have voluntary standards”, to me that is hogwash, “he said.

Write to David Uberti at david.uberti@wsj.com

Copyright © 2021 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8

Source link

Comments are closed.