Cybersecurity
When water utilities get hacked, who should they call?
The federal government's leading cybersecurity agency said a potentially lethal breach of a Florida water treatment plant last month was caused by two factors: a desktop sharing application being widely used due to the coronavirus pandemic and an outdated operating system no longer receiving security updates. The close call is now prompting lawmakers to question what entities govern cybersecurity at water utilities and what changes must be made before a future attack succeeds in harming the public.
Cybersecurity regulations for different industries vary because the rules are set by whichever government agency or panel is responsible for that sector. For water treatment facilities like the one in Oldsmar, Fla., the Environmental Protection Agency is responsible.
That designation comes from an Obama-era policy directive that stated the EPA is the sector-specific agency for water and wastewater systems. In the event of a compromise, such as what happened Feb. 5, EPA partners with the FBI and the Cybersecurity and Infrastructure Security Agency to investigate.
EPA is also charged with administering requirements in America's Water Infrastructure Act, according to an agency spokesman. Any plant serving more than 3,300 people has to plan for "malevolent acts" such as a cybersecurity threat and maintain risk assessments as well as emergency response plans. Those efforts are managed by the water security division which assists facilities in "preparing for, identifying, responding to, and recovering from" cybersecurity threats," according to the spokesman.
W ..
Support the originator by clicking the read the rest link below.
