EPA unveils cybersecurity action plan for water utilities


As the U.S. formulates a national plan to increase the resilience of its critical infrastructure against cyberattacks, the Environmental Protection Agency (EPA) has laid out an action plan to ramp up protections for the water and wastewater sector over the next three months.

Looking to respond to ransomware attack incidents involving Colonial Pipeline and JBS Foods, as well as the hack of a Florida water treatment plant where a cyberintruder skyrocketed levels of lye remotely, The Water and Wastewater Sector Action Plan focuses on the adoption of strategies for the early detection of cyberthreats and the rapid sharing of cyberthreat data across the government to expedite action and analysis.

The plan will initially focus on utilities that serve the largest populations and have the highest consequence systems, the EPA announced. For instance, water utilities will be invited to participate in a pilot program for monitoring and information sharing under the Industrial Control Systems (ICS) Cybersecurity Initiative.

“Cyberattacks represent an increasing threat to water systems and thereby the safety and security of our communities,” announced EPA Administrator Michael Regan, in a statement. “As cyberthreats become more sophisticated, we need a more coordinated and modernized approach to protecting the water systems that support access to clean and safe water in America,” he added.

Subscribe to our Newsletter!

The latest environmental engineering news direct to your inbox. You can unsubscribe at any time.

The ICS initiative states that it will support the deployment of technologies and systems that “provide threat visibility, indications, detection, and warnings,” and that “facilitate response capabilities for cybersecurity in essential control system and operational technology networks.”

The new water sector initiative is billed as a public-private sector collaboration that involves the Cybersecurity and Infrastructure Security Agency. It follows a cyber-retooling of the electricity sector in mid-April, when more than 150 electricity utilities, representing almost 90 million residential customers, introduced or prepared for new control system cybersecurity technologies.

As the EPA currently lacks the legal authority to impose cybersecurity measures on water systems, the new measures will be considered voluntary.

The U.S. will also establish a task force of water sector leaders as part of the new plan.

“The expansion of the President’s ICS Cybersecurity Initiative to the Water Sector is an important step forward in securing our nation’s water utilities from malicious cyber activity,” announced National Cyber Director Chris Inglis, in a statement. “The water sector action plan will provide owners and operators of water utilities a roadmap for high-impact actions they can take to improve the cybersecurity of their operations,” he added.

The government, however, will not select, endorse, or recommend any specific technology or provider, according to a White House briefing.

The Water Sector Coordinating Council and Water Government Coordinating Council were also integral in shaping the new cybersecurity initiative.


Please enter your comment!
Please enter your name here