As cyber attacks continue suppressing critical infrastructure sectors like water and wastewater systems, implementing proper cybersecurity practices is becoming more vital in protecting against highly disruptive cybersecurity incidents. According to the Environmental Protection Agency (EPA), these threats on process control systems have the capacity to upset treatment/conveyance processes, steal customer personal data and credit card information from the billing system, and install ransomware to disable all control systems. Compromised water and wastewater facilities then face faltering levels of customer confidence along with financial and legal liabilities. In response, the EPA has taken steps to implement new cybersecurity rules for water sector agencies.
The EPA’s New Cybersecurity Policy
The Environmental Protection Agency recently announced that the sanitary survey reviews conducted at water facilities will be extended to include cybersecurity. Anne Neuberger, the deputy national security adviser for cyber and emerging tech, made the announcement, stressing the efficacy of public-private partnerships and the current missing elements in U.S. critical infrastructure. She states that the Australian legislation for cybersecurity follows a model that should be emulated by the U.S. The framework of the Australian Security of Infrastructure Act implements a cybersecurity standard to improve the transparency and operational control of Australian infrastructure, facilitates collaboration between government, regulators, and operators of infrastructure, and provides a means to respond to cybersecurity threats.
Anne stresses the importance of protecting critical infrastructure, stating that “When we drive a car, the car comes with the seatbelt, comes with airbags. It comes with standards for what’s the speed you can drive on the road. And what happens if there’s a major accident? We need the same with cyber.”
What the EPA Recommends
The Environmental Protection Agency also currently recommends implementing a cybersecurity program to remove any possible vulnerabilities that these attacks could exploit. You can check out the EPA’s cybersecurity resources page for the water sector on their website. Some precautions they recommend include ensuring that all IT systems have up-to-date security patches, separating network and control access based on job functions, and developing a contingency recovery plan for any critical systems.
Alvaka also recommends applying key mitigations to increase your cyber resilience in the following blog, Reduce the Risk of Ransomware & Other Cyber Attacks.