The White House launched a new cybersecurity initiative for the U.S. water supply Thursday after a handful of worrisome hacks against the sector last year.
Water facilities won't have to adopt any new practices because of the new initiative, which is intended to create a system that shares information about cyberthreats with the water sector and industry-wide basic security practices.
Bryson Bort, a cybersecurity consultant for industrial systems, said it was an important first step towards more secure water infrastructure.
Evidence-driven security requires evidence, according to Bort. The government is beginning to collect data through reporting to make sure there is visibility of the problem. We are building the foundation to be smarter, not just performative. The White House initiatives for the aviation and gas pipeline sector followed the new recommendations.
There is little cybersecurity guidance and almost no regulation for the more than 50,000 water and wastewater facilities in the U.S. that are independent of each other and vary widely in security practices. It makes it practically impossible to hack the U.S. water supply en masse, but it also makes it extremely difficult to regulate them together.
Many water facilities are dependent on computerized systems to operate. They have few employees on site and use automated systems at a given time. At least four U.S. water suppliers were hacked last year, though none of the security breachers are known to have harmed anyone.
A hacker gained access to a facility in Oldsmar, Florida near Tampa through remote desktop viewing software, which was used in a high-profile incident. The hacker briefly changed the levels of lye in the water to poisonous levels before an employee caught and stopped the hacker. There were three similar hacks last year, one in the San Francisco Bay area and two in Pennsylvania, all of which did not result in a known illness.
The law enforcement hasn't identified suspects in any of the incidents. While some water facility hacks, including Oldsmar and a ransomware attack in 2020 against a Southern California facility, are considered criminal, the U.S. Cybersecurity and Infrastructure Security Agency has warned that Russia could cause cyberattacks on the country's infrastructure.