Sparked by high-risk cyberattacks and subsequent mainstream press coverage, the federal government is moving toward new requirements for critical infrastructure cybersecurity.
A July Office of Management and Budget (OMB) memo (PDF) called for agencies across the federal government to establish specific cybersecurity "performance standards" for their respective industries — and, even more significantly, to budget for federal agency "review and assessment" of cyber-hardening plans prepared by organizations required to meet those new standards.
Needed: Federal Review and Assessment of Plans
This level of direct supervision extends the approach that today is applied only to the most critical national infrastructure — notably the electrical grid (regulated by the Department of Energy, the Federal Energy Reliability Commission, and the North Amerian Reliability Corp.) and oil and gas pipelines (Department of Homeland Security and the Transportation Security Administration) — across the full range of US industries that people rely on, including retail, pharmaceuticals, chemical, transportation and distribution, food and beverage, and many others.
One industry that's likely to feel this regulatory activity strongly, and see substantial changes as a result, is the water sector. Heavily vulnerable to cyberattacks, water utilities are in urgent need of refreshed — and enforced — security standards. In fact, the Biden administration recently hinted that the Environmental Protection Agency (EPA) is set to issue a new rule that would include cybersecurity in sanitation reviews of the nation's water facilities — further supporting higher standards when it comes to cybersecurity.
The stakes are high: A typical municipal water processing system filters 16 million gallons of water each day, and one successful hacker could taint the community's entire water supply. This is not a hypothetical fear — a hacking group recently managed to infiltrate a water treatment system in Oldsmar, Fla. By tinkering with the amount of lye in the water, they put an entire town at risk. And recently, the Clop ransomware gang targeted the South Staffordshire water utility in the UK. While these attacks are not always successful, the gravity of the risks has been made abundantly clear.
Despite previous attempts to improve security standards for the water sector, it remains vulnerable. Even America's Water Infrastructure Act of 2018 (AWIA), which stated that water utilities must develop emergency response plans that address cybersecurity threats as part of a broader effort to improve overall infrastructure and quality, did not significantly change the cybersecurity posture for the industry. The sector encompasses 50,000 separate utilities in the United States, most of which are small and managed by municipalities; this fragmentation, coupled with general unwillingness from operators to abandon existing practices, allowed the impetus for change to peter out.
But precedent tells us that, when done right, federal regulations can make a difference. We're already seeing progress in another vulnerable critical infrastructure sector: oil and gas. Following the high-profile Colonial Pipeline hack in 2021, the Department of Homeland Security's Transportation Security Administration (TSA) quickly released two Security Directives, with an update in 2022, doubling down on its efforts to ensure better protection for energy infrastructure nationwide. These directives emphasized credential management and access control, two things that would have helped block the ransomware attack in the first place.
Despite initial pushback from pipeline owners and operators, these first-of-their-kind TSA requirements are already leading the entire sector toward a more-protected environment. Operators are now leaning into security measures centered around proactivity and attack prevention.
Call for Attack Prevention Leads to More Protection
The key difference here is that the TSA directives require implementation plans for cyber protection, not just for incident detection and response. Once operators were required to protect themselves, not just respond to events after the fact — and once the federal government was reviewing their cyber-protection plans — the oil and gas sector began to move in earnest.
And now, with the OMB's guidance to agencies, the same direct supervision of cyber protection will come to other sectors, too, including water. In other words, the movement within oil and gas is a hint at what's to come for other critical infrastructure.
The 2021 Oldsmar hack showed the world just how easy — and how devastating — an attack on a water plant can be. Regardless of historical industry norms, a clear need for better cybersecurity has emerged, and it appears that the government is prepared to move ahead more aggressively than ever. Its broad push toward better security for critical infrastructure is poised to be the catalyst that many sectors, such as water, have desperately needed.
Plant owners and operators can no longer ignore the risks; heavier regulation is a "when," not an "if." Now is the time for them to pursue better, more modern cybersecurity.