Today, the Biden-Harris Administration announced it will extend the Industrial Control Systems (ICS) Cybersecurity Initiative to the water sector. The Water Sector Action plan outlines surge actions that will take place over the next 100 days to improve the cybersecurity of the sector. The action plan was developed in close partnership with the Environmental Protection Agency (EPA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Water Sector Coordinating Council (WSCC).
The incidents at Colonial Pipeline, JBS Foods, and other high-profile critical infrastructure providers are an important reminder that the federal government has limited authorities to set cybersecurity baselines for critical infrastructure and managing this risk requires partnership with the private sector and municipal owners and operators of that infrastructure. The Administration has already established ICS initiatives for the electric and natural gas pipeline subsectors, and today over 150 electricity utilities serving over 90 million residential customers and multiple critical natural gas pipelines have deployed or are in the process of deploying additional cybersecurity technologies.
The Water Sector Action Plan is a collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technologies and systems that provide cyber-related threat visibility, indicators, detections, and warnings:
- Similar to electric and pipeline action plans, this plan will assist owners and operators with deploying technology that will monitor their systems and provide near real-time situational awareness and warnings. The plan will also allow for rapidly sharing relevant cybersecurity information with the government and other stakeholders, which will improve the sector’s ability to detect malicious activity.
- EPA and CISA will work with water utilities and invite them to participate in a pilot program for ICS monitoring and information sharing. This pilot will demonstrate the value of such technology to the sector. The WSCC, CISA, and EPA will also collaborate to promote cybersecurity monitoring to the entire sector.
- The plan will meet the particular requirements of this sector. This sector is made up of thousands of systems that range in size from the very small to ones that service major metropolitan cities that have little or no cybersecurity expertise and are unsure what steps they should take to address cyber risks. EPA and CISA will work with appropriate private sector partners to develop protocols for sharing information. The government will not select, endorse, or recommend any specific technology or provider.
- The plan will initially focus on the utilities that serve the largest populations and have the highest consequence systems; however, it will lay the foundation for supporting enhanced ICS cybersecurity across water systems of all sizes.
Efforts like this highlight cybersecurity as a top economic and national security priority for the Biden-Harris Administration:
- The Administration has rapidly moved out on a whole-of-government effort to counter ransomware including disrupting ransomware infrastructure and actors, bolstering public and private resilience to withstand ransomware attacks, and leverage international cooperation to address safe harbors for ransomware criminals and disrupt the ransomware ecosystem.
- President Biden signed an Executive Order to modernize cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur. The Executive Order uses the federal government’s buying power to drive security in the software we all use.
- President Biden met with private sector and education leaders in August to discuss the whole-of-nation effort needed to address cybersecurity threats – and leaders announced ambitious initiatives to bolster the Nation’s cybersecurity. The White House convened government and private sector stakeholders to improve the security of open source software and ways new collaboration could rapidly drive improvements. And officials continue calling on the private sector publicly and privately to implement best practices to defend against malicious cyber activity, including backing up data, implementing multi-factor authentication, and testing incident response plans.
- The Administration has rallied G7 countries to hold accountable nations who harbor ransomware criminals, updated NATO cyber policy for the first time in seven years, and brought together more than 30 allies and partners to accelerate our cooperation in combatting cybercrime, improve law enforcement collaboration, and stem the illicit use of cryptocurrency. The Administration has imposed costs on Russia for SolarWinds, attributed malicious cyber activity to the PRC with a strong coalition, including NATO for the first time, and have made clear to nation-states and malicious actors that we will continue to use every tool available to us to protect the American people and American interests against cyber threats.