WASHINGTON -- A group of bipartisan House lawmakers has introduced legislation intended to protect critical infrastructure - including water treatment facilities - from cyberattacks.
The Department of Homeland Security (DHS) Industrial Control Systems Enhancement Act was introduced following the February breach of a water treatment facility in Oldsmar, Fla. The act would give more authority to the Cybersecurity and Infrastructure Security Agency (CISA) to protect these systems against attacks.
Under the Bill's provisions, the CISA director would be required to maintain the ability to detect and respond to attacks on industrial control systems, and also be able to provide assistance to critical infrastructure groups. The director would also be required to collect and distribute information on vulnerabilities in systems to owners and operators.
“As I have said consistently, we need to continue to build centralized cybersecurity capacity with CISA where possible for the entire critical infrastructure community to voluntarily benefit from,” Katko said in a statement. “This important piece of legislation will solidify CISA’s lead role in protecting our nation’s critical infrastructure from cyber threats, particularly to our industrial control systems.”
This is just one in a string of security-minded measures for water agencies that have been recommended over the years. In the wake of the Florida atttempt, a four-page joint advisory from the FBI, the Cybersecurity and Infrastructure Security Agency, the EPA and Multi-State Center for Internet Security was circulated among water agencies. The document recommends following “Cyber Hygiene” and recommends steps such as keeping software up-to-date, implementing “independent cyber-physical safety systems,” and using randomized alphanumeric passwords.
The America’s Water Infrastructure Act of 2018 requires that water treatment systems that service more than 3,300 people “to develop or update risk assessments and emergency response plans.”