Federal initiative on cybersecurity underscores vulnerabilities in the water infrastructure sector
In response to growing threats to water systems, the federal government and local industry are working together to enhance cybersecurity protections. The Environmental Protection Agency (EPA) is leading the charge at the federal level, safeguarding water sector critical infrastructure, including cybersecurity.
Recent cyberattacks, including those linked to Iran's Islamic Revolutionary Guard Corps, have highlighted the need for increased security. The Biden administration's withdrawal of plans to include cybersecurity as part of periodic audits of public water systems in October 2023 underscores this urgency.
One of the significant federal legislative efforts is the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. Enforcement begins in 2026, requiring utilities to report significant cyber incidents and ransomware payments within strict timelines, thereby increasing oversight and incident response capabilities for water utilities.
At the state and local levels, New York State is setting an example with proactive industry-government collaboration. The state has proposed enforceable cybersecurity regulations targeting water and wastewater systems serving more than 3,300 residents. These regulations mandate formal cybersecurity programs, annual vulnerability analyses, cyber incident response plans, training requirements, and incident reporting within 24 hours. Larger utilities also must designate cybersecurity program leads and maintain network activity logs. To support compliance, New York has launched a $2.5 million grant program assisting utilities with costs related to these new cybersecurity requirements.
Industry groups like the American Water Works Association and the National Rural Water Association now support ongoing legislative efforts to ensure cybersecurity remains a national priority while advocating for practical, sector-specific regulations.
The United Kingdom's National Cyber Security Centre is also working to address the growing threats against the water sector. The NCSC has issued industry guidance regarding the threat of malicious attacks targeting users of Unitronics PLCs, urging organizations to follow the guidance issued by U.S. and Israeli agencies on how to mitigate the threat activity.
The EPA, Cybersecurity and Infrastructure Security Agency, and other agencies provide resources for water utilities, including vulnerability scanning, tabletop exercises, and local funds. Mark Montgomery, senior director at the Center on Cyber and Technology Innovation, suggests a public-private collaborative model for implementing agreed-upon assessments.
As the water sector becomes increasingly digitalized through the installation of data logging equipment and smart meters, its exposure is rising. Katherine Ledesma, head of public policy and government affairs at Dragos, mentioned that utilities of all sizes today are on the front lines defending themselves against cyberattacks, and small public water systems, which represent more than 90% of the nation’s community water systems, face unique challenges in accessing resources, tools, and expertise they need.
In conclusion, the federal government, state governments, and industry groups are working together to address cybersecurity threats to water systems. The EPA's leadership, federal laws like CIRCIA, state initiatives such as New York’s stringent regulations and financial aid, and collaborative efforts between public and private sectors are all crucial components in mitigating the risk posed by nation-state-linked threat groups.
- The growing threats to water systems have underscored the need for increased cybersecurity, with the Biden administration recognizing this by withdrawing plans for periodic audits of public water systems that omitted cybersecurity.
- In response to this urgency, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 has been introduced at the federal level, requiring utilities to report significant cyber incidents and ransomware payments within strict timelines.
- At the state level, New York State is leading the way with proactive collaboration between industry and government, proposing enforceable cybersecurity regulations that include formal programs, vulnerability analyses, incident response plans, training requirements, incident reporting, and designated cybersecurity leads.
- Recognizing the unique challenges faced by small public water systems, industry groups like the American Water Works Association and the National Rural Water Association are advocating for practical, sector-specific regulations, while the EPA and other agencies provide resources and support for utilities in their efforts to address cyber vulnerabilities.
