Cyber security troubles in the water sector exposed by federal efforts towards mitigation

Cyber security troubles in the water sector exposed by federal efforts towards mitigation

In a move aimed at enhancing the security of public water systems, state and federal agencies are implementing new cybersecurity measures and initiatives. These measures are designed to protect these essential services from malicious cyberattacks, including those targeting programmable logic controllers (PLCs) like those from Unitronics.

One of the key initiatives is the New York State Cybersecurity Regulations, effective from January 2027. These regulations require community water systems serving over 3,300 people to conduct annual cybersecurity vulnerability analyses, implement risk-based cybersecurity programs, develop incident response plans, and report cybersecurity incidents to the Department of Health within 24 hours. The regulations also mandate regular training for certified water operations staff and the designation of senior executives to oversee cybersecurity and network monitoring for the largest systems [1][3][5].

To support these efforts, New York State has launched a $2.5 million cybersecurity grant program. This program assists water utilities with costs related to risk assessments, technical assistance, and compliance upgrades. However, it is acknowledged that this funding is insufficient to cover full costs for many systems [1][5].

At the federal level, guidelines are increasingly emphasizing Zero Trust cybersecurity architectures for industrial control systems in water infrastructure. Zero Trust limits lateral movement inside networks and enhances authentication and monitoring for remote access to operational technology. This approach helps control access and reduce exploitation risks, including against Unitronics PLCs that have been specifically targeted for political cyberattacks [2].

Additional federal legislation, such as the IoT Cybersecurity Improvement Act of 2020 and subsequent NIST standards, frame security expectations for connected industrial devices, including PLCs. These standards encourage secure design, authentication, monitoring, and response capabilities [4].

However, the push for mandatory audits for water utilities, such as the one proposed by the EPA, has raised significant concerns among state and local officials. These concerns revolve around the lack of resources in many community water systems and the need for a collaborative approach rather than top-down mandates [6].

In response, proposals for a public-private collaborative model, similar to the electric power industry, have been suggested. This model would involve agreed-upon assessments and resources such as vulnerability scanning, tabletop exercises, and local funds provided by agencies like the Cybersecurity and Infrastructure Security Agency [7].

The growing threats to water systems have also been recognised by international agencies. The NCSC in the UK, for instance, is working diligently to address these threats against the water sector [8].

In conclusion, state and federal initiatives collectively emphasize mandatory vulnerability assessments, incident reporting, staff cybersecurity training, Zero Trust frameworks, and grant funding support to mitigate cyber risks to public water infrastructure. These efforts aim to address the under-resourcing of water systems and the growing capabilities of adversaries, pushing for stronger, layered cybersecurity defenses [1][2][3][5].

Sources: [1] https://www.ny.gov/programs/new-york-state-cybersecurity-requirements-critical-infrastructure-operators [2] https://www.cisa.gov/zerotrust [3] https://www.ny.gov/sites/governor.ny.gov/docs/gov/budget/exec/fy24/Budget_Book_2024_Executive_Summary_Cybersecurity.pdf [4] https://www.nist.gov/cybersecurity/iot-cybersecurity-improvement-act-2020 [5] https://www.ny.gov/programs/new-york-state-cybersecurity-grant-program [6] https://www.nysenate.gov/newsroom/press-releases/neuberger/neuberger-statement-epa-withdrawal-cybersecurity-rules-public [7] https://www.washingtonpost.com/technology/2023/10/27/water-utilities-cybersecurity-biden-administration/ [8] https://www.ncsc.gov.uk/news/ncsc-launches-new-water-sector-security-programme

1. The New York State Cybersecurity Regulations, which come into effect in January 2027, require community water systems to conduct annual cybersecurity vulnerability analyses.
2. Zero Trust cybersecurity architectures, which limit lateral movement inside networks and enhance authentication and monitoring for remote access to operational technology, are increasingly being emphasized for industrial control systems in water infrastructure.
3. The IoT Cybersecurity Improvement Act of 2020 and subsequent NIST standards frame security expectations for connected industrial devices, including Programmable Logic Controllers (PLCs).
4. International agencies, such as the NCSC in the UK, are working diligently to address growing threats to water systems.

Read also: