Two months ago, the White House released its National Cybersecurity Strategy.¹ Since then, various government agencies have issued new cybersecurity guidance for certain critical infrastructure subsectors. For example, the Environmental Protection Agency and Transportation Services Administration for the public water systems and aviation subsectors.

In addition to being consistent with the NSC’s overall goal – “harmonizing regulations to reduce the burden of compliance” – the new requirements focus on fulfilling two of the five objectives of Pillar One of the Strategy, to (1) Establish Cybersecurity requirements to Support National Security and Public Safety, and (2) Scale Public-private Collaboration.

‘Like Water,’ Hackers too are Shapeless

There are “approximately 153,000 public drinking water systems and more than 16,000 publicly owned wastewater systems in the United States.” In 2021, water systems in Florida, Utah, and Kansas experienced incidents involving insider, ransomware, and tampering exploits,² and according to EPA, cyberattacks against these facilities are increasing.³

In March, for the public water systems (PWS) subsector specifically, the EPA sent to state drinking water administrators guidance to be followed for surveys that review onsite water sources, facilities, equipment, and operations to evaluate their adequacy for producing and distributing safe drinking water.⁴

For related operational technology (OT) – i.e., the hardware and software that are used to monitor or control industrial equipment, assets, processes, and events – the EPA stated that surveys must include an evaluation of the adequacy of their cybersecurity for producing and distributing safe drinking water.⁵

For PWS OT cybersecurity, the EPA recommends self-assessments or third-party assessments and suggests these should be done annually. For self-assessments, the EPA recommends various frameworks, the most notable and recognized being the National Institute of Standards and Technology’s Cybersecurity Framework (CSF).⁶

But the EPA also recommends an optional method that is potentially easier, a checklist with 37 ‘yes’ or ‘no’ questions covering these main areas.⁷ The same checklist also includes facts sheets succinctly explaining why each question matters with additional guidance and implementation tips.

1. Account Security.
2. Device Security.
3. Data Security.
4. Governance and Training.
5. Vulnerability Management.
6. Supply Chain/Third Party.
7. Response and Recovery.
8. Other.

Aviation Subsector Tracks Rail Regulations

Within a few days of the EPA’s PWS guidance, the TSA issued an emergency cybersecurity amendment to the security programs of certain TSA-regulated airport and aircraft operators for the aviation subsector.⁸ In its press release, the TSA commended the public-private collaboration that had taken place between public and private sector participants.

The amendments to the aviation security programs were adopted from security directives issued for the railroad industry in 2021 and 2022.⁹ As with those directives, in addition to more general requirements the TSA requires that aviation entities describe in detail the cybersecurity-specific measures that will be taken to:

1. Implement network segmentation policies and controls;
2. Implement access control measures to secure and prevent unauthorized access;
3. Implement continuous monitoring and detection policies and procedures; and
4. Reduce the risk of exploitation of unpatched systems.

For these measures, a schedule must be submitted showing when they will be implemented. Additionally, an annual plan must be submitted describing how the covered entities will proactively and regularly assess the effectiveness of the above measures.

A Call to Action: Defend Critical Infrastructure Now

Two years ago, co-author Kurt Erskine was the U.S. Attorney for the Northern District of Georgia overseeing the response to the Colonial Pipeline ransomware attack, which incident was the impetus for the public-private collaboration like that taking place this week at Polsinelli’s Privacy Summit with the Federal Bureau of Investigation.¹⁰

As a result of the Colonial attack and others, the days when private companies in certain subsectors were required to develop cybersecurity programs on their own are slowly coming to an end. But just as collaboration consistent with the Strategy takes shape so too will the standards establishing legal duties for cybersecurity across all sectors.

For more information relating to cybersecurity for critical infrastructure please see here,¹¹ here,¹² and here.¹³