EPA is poised to announce a new rule that would require states to oversee more than 1,000 water utilities’ cybersecurity plans, according to a top White House official.
Anne Neuberger, deputy national security adviser for cyber and emerging technology, said at an event hosted by the Center for a New American Security yesterday that EPA will be issuing a rule “shortly” to expand the regular reviews to include cybersecurity as threats at facilities mount across the country.
Neuberger’s comments were first reported by POLITICO yesterday.
The water sector has seen a surge of cybersecurity attacks in recent months and years, including a high-profile event in Oldsmar, Fla., last year when a hacker gained control of a water utility’s operating systems (Energywire, Feb. 10, 2021).
That event and others have revealed vulnerabilities as threats continue to grow for a sprawling sector that oversees itself.
“We are behind other countries in setting cybersecurity requirements for the critical elements of infrastructure — the most significant water, power, pipelines [and] hospitals in the country — as well as the technology that crosses all of them,” Neuberger said.
Neuberger said it is important for Congress to make sure that EPA has the authority and resources to handle the issue.
“We need the Hill to ensure that those authorities are clear so that as threats continue to evolve … as [systems are] modernized, to ensure sensors are added to ensure cybersecurity is baked in,” she added.
When asked whether a rule is in the works, Tim Carroll, a spokesperson for EPA, said the agency is moving forward with a regulatory approach to improve cybersecurity at water systems that could affect safe drinking water, and that the agency has partnered with states to identify ways to help utilities.
The Biden administration has been pursuing various actions in order to beef up the sector’s cybersecurity practices, including releasing a voluntary 100-day action plan for facilities in January (Greenwire, Jan. 27).
“Recent events have highlighted the importance of this effort, and the agency is taking a multi-pronged approach in close partnership and coordination across the federal government and in collaboration with state agencies,” Carroll said.
Water facility treatment operators are generally not given cybersecurity training as part of their on-the-job training or certification requirements.
The White House didn’t immediately respond to questions about Neuberger’s comments.
Reporter Christian Vasquez contributed.