White House expands digital regulations for U.S. water supply

Ben Hasty

The White House launched a new cybersecurity initiative for the U.S. water supply Thursday after a handful of worrisome hacks against the sector last year.

The new initiative is designed to create a system that shares information about cyberthreats with the water sector and industry-wide basic security practices, though water facilities will not be forced to adopt any new practices.

Bryson Bort, a cybersecurity consultant for industrial systems, said it was an important first step toward more secure water infrastructure.

“Evidence-driven security requires evidence,” Bort said. “The government is starting with data collection through reporting to establish visibility of the problem. We’re building the foundation to be smarter, not just performative.”

The new recommendations follow similar White House initiatives for the aviation and gas pipeline sectors.

Currently, there is little cybersecurity guidance and almost no regulation for the more than 50,000 water and wastewater facilities across the U.S., which run independently of each other and vary widely in security practices. While that means it’s practically impossible to hack the U.S. water supply en masse, it also makes it extremely difficult to regulate them together.

Many water facilities are dependent on computerized systems to operate. They have few employees on site at a given time and use automated systems. Employees tend to remotely log in to address issues if they arise during off hours.

At least four U.S. water suppliers were hacked last year, though none of the security breachers are known to have harmed anyone.

In one high-profile incident, a hacker gained remote access to a facility in Oldsmar, Florida, near Tampa, through remote desktop viewing software. The hacker briefly changed the levels of lye in the water to poisonous levels before an employee caught and stopped the hacker. There were three similar hacks last year, one in the San Francisco Bay area and two in Pennsylvania, all of which did not result in known illness.

Law enforcement hasn’t identified suspects in any of the incidents. While at least some water facility hacks, including Oldsmar and a ransomware attack in 2020 against a Southern California facility, are considered criminal, the U.S. Cybersecurity and Infrastructure Security Agency has warned that tensions with Russia could spill into cyberattacks on the country’s infrastructure.