The Biden administration announced on Friday a new plan to improve the digital defenses of public water systems.
The move comes one day after the announcement of a national cybersecurity strategy by the White House, which seeks to broadly improve industry accountability over the cybersecurity of American critical infrastructure, such as hospitals and dams.
The water system plan, which recommends a series of novel rules placing more responsibility for securing water facilities at the state level, follows several high-profile hacking incidents in recent years.
In February 2021, a cyberattack on a water treatment plant in Florida briefly increased lye levels in the water, an incident that could have been deadly if an alert worker had not detected the hack quickly. And in March 2019, a terminated employee at a Kansas-based water facility used his old computer credentials to remotely take systems offline, according to an administration official.
The government is acting now because of the urgency of the threat, according to a senior U.S. Environmental Protection Agency (EPA) official.
Radhika Fox, the assistant administrator in the EPA’s Office of Water, said hackers had “shut down critical treatment processes” and “locked control system networks behind ransomware,” underscoring the current danger.
However, some experts say the new plan will not do enough to help make systems more secure.
The water sector has long been seen as vulnerable to cyberattack, according to Mark Montgomery, the former executive director of the Cyberspace Solarium Commission, a U.S. government-backed policymaking group.
But Montgomery said the administration’s approach — attaching cybersecurity audits to existing sanitary surveys — is inadequate.
“The EPA is not in a position to perform its responsibilities due to insufficient personnel and resources, but the states are in no better position,” Montgomery said.
“Rather than pass the buck, EPA should work with water utilities and establish a joint government/industry organization to establish standards, provide assessment tools, and audit the results.”
EPA officials say they have a “robust technical assistance program” in place to support public water systems that need cyber support.
The water treatment industry was also critical of the administration’s announcement on Friday.
Tracy Mehan, executive director of government affairs at the American Water Works Association, said the plan has “all sorts of practical problems, which unfortunately, the government seems to be ignoring.”
Copyright 2023 Thomson/Reuters