The Biden administration is examining whether the Environmental Protection Agency still has authorities to mandate cybersecurity standards for the water sector after a previous effort was derailed last year.
The administration has sought to establish minimum cybersecurity requirements across all critical infrastructure sectors under President Joe Biden’s cybersecurity strategy. But the Environmental Protection Agency withdrew a water sector cybersecurity rule after several states and water associations filed lawsuits opposing the rule.
However, White House and EPA officials are still considering what authorities exist to bolster cybersecurity in a sector with 50,000 water utilities spread out across the country. In a call with reporters Thursday, Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger said White House continues to focus on the water sector.
“We’ve been putting a lot of work into the cybersecurity of the water system,” Neuberger said. “The lawsuit was unfortunate.”
In December, agencies issued an advisory stating an Iranian government-affiliated cyber threat group had exploited critical infrastructure networks, including U.S. water and waste water facilities across 16 states. Neuberger said the hackers were able to hack into systems at the facilities using a default password, “1111.”
“I frankly hesitate to call them cyber attacks,” Neuberger said.
This week, agencies released new details on a China-linked threat group, “Volt Typhoon.” The hackers are targeting multiple U.S. critical infrastructure organizations, including in the water sector. The advisory said the hackers may have had access to some systems for the last five year.
Neuberger said White House and EPA officials met with water associations this week to discuss cybersecurity efforts. And despite the withdrawal of last year’s rule, Neuberger said officials are considering what other authorities EPA may be able to leverage in the near term.
The White House is also considering legislative proposals, but Neuberger acknowledged lawmakers in Congress are unlikely to address cybersecurity challenges in the water sector in the short term.
“We want to be sure that we fully use all existing authorities, even as we explore potential legislative authorities,” she said. “The path to new authorities, legislative authorities, is a longer one, is not going to happen quickly. Just because there aren’t necessarily vehicles moving and a standalone water bill, given all the other Hill priorities, may not be timely.”
Meanwhile, Neuberger said officials are in “final policy discussions” on the re-write of Presidential Policy Directive-21, which lays out responsibilities for protecting critical infrastructure sectors.
“What’s the most effective way to ensure that the 18 sector risk management agencies are in a position to do the work on the ground to drive cybersecurity improvements?” Neuberger said, describing the discussions. “Do they have a mandatory authority? Do they have the resources? Because those agencies know their sectors, they have existing ways that they’re working with their sectors, and we want to integrate cybersecurity within that to be most effective on the ground.”
While efforts in the water sector have run into challenges, agencies have implemented new cyber regulations in other critical infrastructure sectors, including pipelines and railways. Neuberger said regulating agencies have become more “cutting edge” at leveraging existing authorities to set cybersecurity requirements.
“When you shift an approach like that, clearly it takes time to play out on the ground, and it takes time to really get the volume,” she said. “Nothing changes with the snap of a finger. We’ve been investing across the U.S. government, in a lot of day by day work with companies, with associations to gain their buy in and help them understand the criticality of the threat and the need for action.”
The post With critical infrastructure being targeted, Biden admin considers next steps for water sector first appeared on Federal News Network.