In April, we covered the Environmental Protection Agency’s (EPA) action on water management cybersecurity and the environment prompting such activity. At the time, the agency had recently decided to release a set of actions and requirements for systems operators to meet, including audits of cybersecurity practices and sanitary surveys, in order to shield themselves from the rising attacks on such critical infrastructure facilities. But since then, things have taken a bit of a turn.
EPA Draws Back Water Cybersecurity Initiative
As The Washington Post’s “Cybersecurity 202” newsletter reports, the EPA has decided to roll back its cybersecurity regulatory framework due to ongoing challenges introduced by certain state attorneys and industry groups. In July, a court issued a hold on the rule in response to a case brought against it, which ultimately led to this choice by the EPA. In the meantime, organizations such as the American Water Works Association and National Rural Water Association are pushing instead for the passing of the Cybersecurity for Rural Water Systems Act. Tim Starks writes for the newsletter that this legislation would allocate “$10 million annually from fiscal years 2024 to 2028 to pay for Agriculture Department cybersecurity experts who give technical assistance to rural water and wastewater systems.”
Ongoing Critical Infrastructure Cybersecurity Initiatives
Despite these events, the Biden administration still intends to find other ways to boost water and wastewater cybersecurity, and the EPA has stated that it will continue to provide support via training, funding, etc. to state water system operators. Additionally, the Cybersecurity and Infrastructure Security Agency announced in September that it has worked with the EPA, Water Sector Coordinating Council, and the Association of State Drinking Water Administrators to create a free cybersecurity scan resource available to facilities. The scan is meant to help both identify vulnerabilities and produce reports that can guide operators forward.
This maintained focus on critical infrastructure cybersecurity also unfolds as the administration releases its official plan for the national cybersecurity strategy. On top of assigning roles, responsibilities, and deadlines for execution, the National Cybersecurity Strategy Implementation Plan (NCSIP) “aims to ensure transparency and coordination among U.S. federal government agencies to bring the strategy to life,” writes Jonathan Reed at Security Intelligence. Among its pillars, it amplifies the ongoing need to defend critical infrastructure through enhanced public-private partnerships that advocate for a secure-by-design and secure-by-default approach.
Sources:
- “Biden administration goes back to the drawing board on water cybersecurity” – Tim Starks, Washington Post
https://www.washingtonpost.com/politics/2023/10/16/biden-administration-goes-back-drawing-board-water-cybersecurity/ - “CISA announces free security scans for public water utilities” – Sophia Fox-Sowell, StateScoop
https://statescoop.com/cisa-announces-free-security-scans-public-water-utilities/ - “Cyber experts applaud the new White House cybersecurity plan” – Jonathan Reed, Security Intelligence
https://securityintelligence.com/articles/cyber-experts-applaud-new-white-house-cybersecurity-plan/