The White House announce new cyber regulations for the communications, water & healthcare industries


Introducing new cybersecurity regulations for communications, water and healthcare is crucial as we continue to see the number of cyberattacks on critical infrastructure increase. Alarmingly, in 2021, we saw over 80% of critical infrastructure organisations experience a ransomware attack.

Water and healthcare, particularly, are two industries where a cyberattack can have a direct risk on human life. For example, we saw threat actors breach a water treatment facility in Florida where they attempted to change the chemical levels, which could have potentially poisoned local residents if it has been successful. Another tragic example is the death of a baby at Alabama Hospital which may have been the result of a ransomware attack that caused equipment to shut down.

Whilst the White House is yet to confirm where and how exactly it will regulate cybersecurity, it is essential that one area they look at, is cyber-physical systems. We are seeing industries such as water and healthcare, converge their OT and IT systems, as well as connect Internet of Things (IoT) devices and Internet of Medical Things (IoMT) devices to company networks without asset based policy segmentation. These cyber-physical devices are not always designed with security in mind, meaning they can have a number of vulnerabilities for threat actors to exploit.

I’d advise that any new cyber regulations ensure that organisations are closing their inherent security gaps and have complete asset visibility across all cyber-physical systems connected to their network. It should be mandated that companies have patching procedures for OT systems, IoT devices, and IoMT devices. Furthermore, regulations must enforce network segmentation with asset class network policies to restrict unnecessary connectivity – this will limit the movement of malware, ultimately, mitigating the impact of cyberattacks.