In response to “multiple” cyber threat vectors, the Biden administration has asked governors of all 50 states to generate cybersecurity plans within 90 days (approximately July 1, 2024) to protect local water and wastewater facilities. In a two-page letter sent Thursday, March 28, 2024, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies, requested that governors develop “action plans” to mitigate significant cyber vulnerabilities to protect water/wastewater treatment facilities, noting that many systems still “suffer from gaps in their cybersecurity practices.”

The White House is particularly concerned about cyberattacks linked to Iran after Israeli-made Unitronics industrial control systems used in U.S. water and wastewater facilities were hacked in response to the war in Gaza. In late November, 2023, the communities of Aliquippa, PA and the North Texas Municipal Water District, among others, suffered attacks on their control and business systems.

In a separate March 21, 2024 letter, White House National Security Advisor Jake Sullivan and EPA Administrator Michael Regan issued essentially the same request of states to share their cybersecurity plans by May 20, 2024. It is unclear if the most recent request supplants the NSA/EPA request, or if they are somehow complimentary. Regardless, water and wastewater operators have another opportunity to weigh in with their respective states’ chief cyber officers to impact what cybersecurity measures and mitigation strategies make the most sense. It behooves operators to begin those discussions now. By May 20, 2024 or late June, 2024, the White House may issue orders that operators find objectionable.

In view of these developments, organizations should consider the following proactive steps:

• Develop comprehensive cyber preparedness plans that include steps for risk assessment, implementing robust security measures, crafting detailed incident response strategies, securing cyber insurance coverage, conducting regular employee training, and ensuring compliance with legal and regulatory standards, to effectively mitigate and respond to cyber threats.
• Consider pursuing available funds from federal agencies like the Cybersecurity and Infrastructure Security Agency (CISA) to bolster cybersecurity defense.
• Conduct a thorough examination of cyber insurance policies to ensure their insurance program adequately covers potential risks, including assessing the scope of coverage for losses from business interruption and any exclusions or limitations that might undermine coverage in the event of a state-sponsored cyberattack.

Our California Water Views blog also covers this issue in further detail. Read the post "White House Issues Dire Warning Regarding Drinking Water Supply and Wastewater System Cyberattacks".