Federal agencies have been actively looking at cyber threats to critical infrastructure. In a January 27 announcement the White House said: “it will extend the Industrial Control Systems (ICS) Cybersecurity Initiative to the water sector.” This builds on past activity by the Biden Administration to increase attention to critical infrastructure and industrial control systems, and contains elements that have been sought by policymakers, including network monitoring and information sharing.
The action plan follows a Joint Cybersecurity Advisory in October 2021 warning of ongoing malicious cyber activity targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. Water and Wastewater Systems (WWS) Sector facilities. At that time, the Government warned that WWS facilities may be vulnerable to ransomware attacks or insider threats from current or former employees who maintain improperly active credentials. WWS Sector cyber intrusions from 2019 to early 2021 included attacks against facilities in California, Maine, Nevada, New Jersey, and Kansas.
In creating a new action plan for a “surge” to examine and improve cybersecurity in the water sector, the White House is enlisting the Environmental Protection Agency (EPA), the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS), and the Water Sector Coordinating Council (WSCC). The action plan lays out a voluntary pilot program for owners and operators of water systems large and small by “deploying technology that will monitor their systems and provide near real-time situational awareness and warnings. The plan will also allow for rapidly sharing relevant cybersecurity information with the government and other stakeholders,” something that has been a priority for agencies and several in Congress who want to see increased information flow from the private sector.
While the White House announcement embraces a public private partnership model, myriad developments in the last year suggest that this collaborative bedrock of federal cyber policy is eroding. Notably, the White House release lamented that “the federal government has limited authorities to set cybersecurity baselines for critical infrastructure and managing this risk requires partnership with the private sector and municipal owners and operators of that infrastructure.” Multiple proposals by the Cyberspace Solarium Commission called for information sharing mandates and Congress has taken up the cause in several proposed bills. Proposed legislation would grant agencies new power to mandate incident reporting, and create new substantive cyber expectations for certain sectors. The ISAC/ISAO model has received less attention recently, and policymakers may want to consider how best to protect voluntary collaboration amidst this shift to mandates.
The action plan calls for network and system monitoring, something that has been proposed by certain policymakers and the Department of Defense (DoD) has been evaluating threat hunting and monitoring under section 1739 of the FY 2021 National Defense Authorization Act (NDAA). Government threat hunting and network monitoring raise practical and principled concerns about government access to private data, as shown in past civil liberties objections to the Cybersecurity and Information Sharing Act of 2015. Government surveillance of private networks is fraught with complexity and private companies should proceed with caution. Organizations working with the FBI to permit consensual monitoring under the Wiretap Act to do post-breach analysis or remediation often negotiate time limits, data minimization requirements, FOIA protections, and other safeguards. Any monitoring or reporting partnerships between government and critical infrastructure operators should consider various protections.
The water initiative comes amidst a flurry of federal activity to impose new requirements on pipeline operators and the rail sector, by the Transportation Security Administration. Unlike the water action plan, those regimes are mandatory and require incident reporting and various assessments to be completed and shared with regulators. At the same time, DHS is working on performance goals for critical infrastructure, under the National Security Memorandum on “Improving the Cybersecurity for Critical Infrastructure Control Systems” (July 28, 2021), which senior officials have indicated will form a standard of care going forward.