By Suzanne Smalley
(Reuters) – The Biden administration announced a new plan on Friday to improve the digital defense of public water systems.
The move comes a day after the announcement of a national cybersecurity strategy by the White House, which aims to broadly improve industry accountability over the cybersecurity of US critical infrastructure such as hospitals and dams.
The water system plan, which recommends a set of new rules that place more responsibility for securing state-level water supplies, follows several high-profile hacking incidents in recent years.
In February 2021, a cyber-attack on a water treatment plant in Florida briefly increased the level of lye in the water, an incident that could have been fatal had an alert employee not quickly noticed the hack. And in March 2019, a laid-off worker at a Kansas water supply used his old computer credentials to take remote systems offline, an administrative official said.
The government is now taking action because of the urgency of the threat, according to a senior U.S. Environmental Protection Agency (EPA) official.
Radhika Fox, the assistant administrator at the EPA’s Office of Water, said hackers had “shut down critical treatment processes” and “locked control system networks behind ransomware,” underscoring the current danger.
However, some experts say the new plan won’t do enough to make systems more secure.
According to Mark Montgomery, former executive director of the Cyberspace Solarium Commission, a US government-backed policy group, the water sector has long been seen as vulnerable to cyberattacks.
But Montgomery said the government’s approach — linking cybersecurity audits to existing health screenings — is inadequate.
“The EPA is unable to carry out its responsibilities due to insufficient staff and resources, but the states are not in a better position,” Montgomery said.
“Instead of shifting responsibility, EPA should work with water companies and create a joint government-industry organization to set standards, provide assessment tools and monitor results.”
EPA officials say they have a “robust technical assistance program” to support public water systems in need of cyber assistance.
The water treatment industry was also critical of the government’s announcement on Friday.
Tracy Mehan, executive director of government affairs at the American Water Works Association, said the plan “has all sorts of practical problems, which the government unfortunately seems to be ignoring.”
(Reporting by Suzanne Smalley; editing by Stephen Coates)