US introduces new rules to protect water systems from hackers

BySean Lyngaas, CNN, CNNWire
Friday, March 3, 2023
ABC7 Chicago 24/7 Stream

The US Environmental Protection Agency on Friday announced new requirements for public water facilities to boost their cybersecurity while expressing concern that many facilities have failed to take basic steps to protect themselves from hackers.

The new EPA memo requires state governments to audit the cybersecurity practices of public water systems - and then use state regulatory authorities to force water systems to add security measures if existing ones are deemed insufficient.

"Cyberattacks that are targeting water systems pose a real and significant threat to our security," EPA Assistant Administrator Radhika Fox told reporters Thursday.

It's the latest move in a full-court press by the Biden administration to use its regulatory and policy powers to try to raise the cyber defenses of US critical infrastructure that is frequently targeted by cybercriminals and foreign government-backed hackers.

The EPA memo comes a day after the White House released a national cybersecurity strategy that calls for software makers to be held liable when their products leave gaping holes for hackers to exploit.

A wakeup call for cybersecurity in the water sector came mere weeks into the Biden administration, in February 2021, when a hacker infiltrated a Florida water treatment facility and tried to increase the amount of sodium hydroxide to a potentially dangerous level, according to local authorities.

The facility stopped the attack before harm could be done, but the episode alarmed officials in Washington and led to greater federal scrutiny of the water sector's security practices.

The FBI and US Cybersecurity and Infrastructure Security Agency have warned about multiple ransomware attacks on the computer networks of water and wastewater facilities from California to Maine.

That greater public attention on the issue has brought improvements; the Water Information Sharing and Analysis Center (WaterISAC), an industry hub for cyber threat data and best practices, says its membership now includes facilities that provide water to most of the US.

"Multiple water sector associations embrace the need to help water systems bolster cyber resilience," Jennifer Lyn Walker, the WaterISAC's director of infrastructure cyber defense, told CNN. "The larger systems have been leading the charge for years, so I think we can adapt that effort toward the medium and smaller systems for the greater good of the sector."

But the sprawling US water sector, which includes more than 148,000 public water systems, has sometimes struggled with funding and personnel to protect systems.

At public water systems, "top-down authorization for major cybersecurity projects, unfortunately, usually only happen after an incident," Chris Grove, director of cybersecurity strategy at industrial security firm Nozomi Networks, told CNN.

"Within the municipalities that manage the public water systems, they are choosing between a library expansion, cameras for the police, or cybersecurity for water and wastewater treatment systems," Grove said.

(The-CNN-Wire & 2022 Cable News Network, Inc., a Time Warner Company. All rights reserved.)