The Biden administration announced Thursday the Industrial Control Systems (ICS) Cybersecurity Initiative will be extended to now include the water sector, marking the first major move to secure the nation’s water systems from cyberattacks.

Under the Water Sector Action Plan, the federal government over the next 100 days will collaborate with owners and operators in this critical infrastructure sector to deploy technologies and systems that provide cyber-related threat visibility, indicators, detections, and warnings.

“The plan will also allow for rapidly sharing relevant cybersecurity information with the government and other stakeholders, which will improve the sector’s ability to detect malicious activity,” the White House stated in its fact sheet.

The Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA) “will work with water utilities and invite them to participate in a pilot program for ICS monitoring and information-sharing,” the White House stated. Alongside these agencies, the Water Sector Coordinating Council also will collaborate to promote cybersecurity monitoring to the whole water sector.

The White House said the plan initially will “focus on the utilities that serve the largest populations and have the highest consequence systems; however, it will lay the foundation for supporting enhanced ICS cybersecurity across water systems of all sizes.”

Real threat

A joint advisory issued Oct. 14 by four federal agencies—CISA, the EPA, the Federal Bureau of Investigation, and the National Security Agency—warned of “ongoing cyber threats to U.S. water and wastewater systems (WWS).”

The advisory stated cyberattacks—by both known and unknown cybercriminals—commonly target information technology (IT) and operational technology (OT) networks, systems, and devices. Such techniques have included spear phishing personnel to deliver malicious payloads, including ransomware; exploiting unsupported or outdated operating systems and software; and exploiting control system devices with vulnerable firmware versions.

“This (malicious cyber) activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities,” the advisory stated.

CISA listed five specific instances of WWS facilities that faced cyber threats between 2019 to early 2021. These included facilities in California, Kansas, Maine, Nevada, and New Jersey.

In addition to providing a list of resources, the agencies recommended in the joint advisory a variety of mitigation measures, including:

  • Having personnel responsible for monitoring WWS check for suspicious activities and indicators that may indicate threat actor activity;
  • Requiring multi-factor authentication for all remote access to the OT network, including from the IT network and external networks;
  • Implementing and ensuring robust network segmentation between IT and OT networks to limit the ability of malicious cyber actors to pivot to the OT network after compromising the IT network;
  • Developing/updating network maps to ensure a full accounting of all equipment that is connected to the network; and
  • Ensuring the organization’s emergency response plan considers the full range of potential impacts cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and threats to safety.

The advisory further recommended installing safety systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor. Examples include the size of the chemical feed pump, gearing on valves, or pressure switches. “These types of controls benefit WWS sector facilities—especially smaller facilities with limited cybersecurity capability—because they enable facility staff to assess systems from a worst-case scenario and determine protective solutions,” the joint advisory stated.

The Water Sector Action Plan is part of a broader strategy by the Biden administration to modernize and enhance the nation’s cybersecurity defenses. Previously, the administration established ICS initiatives for the electric and natural gas pipeline subsectors.

“[T]oday, over 150 electricity utilities serving over 90 million residential customers and multiple critical natural gas pipelines have deployed or are in the process of deploying additional cybersecurity technologies,” the White House stated.