Light Dark
February 14, 2024 By Jonathan Reed 3 min read
News

The water and wastewater sector (WWS) faces cybersecurity challenges that leave it wide open to attacks. In response, the CISA, EPA and FBI recently released joint guidance to the sector, citing variable cyber maturity levels and potential cybersecurity solutions.

The new Incident Response Guide (IRG) provides the water sector with information about the federal roles, resources and responsibilities for each stage of the cyber incident response lifecycle. Sector owners and operators can use this information to augment their incident response plans, establish baseline standards and enhance information-sharing.

Water safety under attack

In October 2023, cyber criminals allegedly linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) targeted water utilities in Pennsylvania. U.S. law enforcement agencies also revealed that ransomware gangs targeted multiple water and wastewater treatment facilities between 2019 and 2021. To date, no attacks have affected the safety of drinking water.

Given the ongoing risk, the new IRG identifies key federal partners where the sector can seek assistance. These include entities such as CISA, EPA, FBI, the Office of the Director of National Intelligence (ODNI) and the DHS Office of Intelligence and Analysis (I&A).

Incident response guide recommendations

For incident response, the new IRG outlines specific practices, which include:

  • Preparation: CISA encourages WWS utilities to consult the agency’s Cyber Performance Goals to strengthen their cybersecurity baseline.
  • Detection and analysis:  Federal agencies may be able to provide no-cost tools and services to impacted utilities. The FBI and CISA may provide onsite and/or virtual technical analysis and support to an organization after receiving reporting.
  • Containment, eradication and recovery: CISA may provide vital information to WWS utility owners and operators on defensive measures to take to contain and eradicate unauthorized threat actors within their assets.
  • Post-incident activity: CISA and its interagency partners can collect data from impacted organizations, anonymize it and share the anonymized data broadly. This data may include relevant TTP, IOCs and other technical data that may support collective defense.

The challenge for small and rural communities

The U.S. water sector has been described as “target-rich, resource-poor” due to the limited financial and technical resources available. And systems in small and rural communities are especially vulnerable.

At a recent hearing by the Committee on Energy and Commerce, Rick Jeffares, President of the Georgia Rural Water Association, said that over 91% of the community water systems in this country serve less than 10,000 people. As per Jeffares, small and rural communities often have “difficulty complying with complicated federal mandates and providing safe affordable drinking water and sanitation due to limited economies of scale and lack of technical expertise.”

Jeffares also said that vendors that receive federal dollars and sell or install automated equipment should be “required by standard protocols established by the EPA and other agencies to better protect water utilities from cyberattacks.”

At the hearing, the need to get the young people involved was also emphasized. “Rural Water has been doing this through a registered apprenticeship program, and it’s working, so we would like to expand. We anticipate the next generation of water operators will have a higher level of computer and cyber sophistication,” said Jeffares.

Lack of funding

Undoubtedly, a large part of the nation’s water safety effort will depend on financial support. The Infrastructure Investment and Jobs Act of 2021 authorized $250 million over five years for EPA grant assistance to public water systems serving communities of 10,000 or more people. The initiative was penned to support projects that reduce water system cybersecurity risks.

However, Congress has only appropriated $5 million for the program, according to Scott Dewhirst, superintendent and chief operating officer of Tacoma Water.

“Fully funding the program — or at least providing a level of appropriations closer to its annual $50 million authorization — would greatly expand the number of water systems that can tap these resources to improve their cyber defenses,” Dewhirst told lawmakers.

Clearly, the nation’s water supply is at risk. Protective initiatives must be acted upon without delay.

 |  |  |  | 
Jonathan Reed
Freelance Technology Writer

More from News
May 13, 2024

Debate rages over DMCA Section 1201 exemption for generative AI

3 min read - The Digital Millennium Copyright Act (DMCA) is a federal law that protects copyright holders from online theft. The DMCA covers music, movies, text and anything else under copyright. The DMCA also makes it illegal to hack technologies that copyright owners use to protect their works against infringement. These technologies can include encryption, password protection or other measures. These provisions are commonly referred to as the “Anti-Circumvention” provisions or “Section 1201”. Now, a fierce debate is brewing over whether to allow…

May 10, 2024

CISA Malware Next-Gen Analysis now available to public sector

2 min read - One of the main goals of the Cybersecurity and Infrastructure Security Agency (CISA) is to promote security collaboration across the public and private sectors. CISA firmly believes that partnerships and effective coordination are essential to maintaining critical infrastructure security and cyber resilience. In faithfulness to this mission, CISA is now offering the Malware Next-Generation Analysis program to businesses and other organizations. This service has been available to government and military workers since November 2023 but is now available to the…

May 8, 2024

Change Healthcare attack expected to exceed $1 billion in costs

3 min read - The impact of the recent Change Healthcare cyberattack is unprecedented — and so are the costs. Rick Pollack, President and CEO of the American Hospital Association, stated, “The Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. healthcare system in history.” In a recent earnings call, UnitedHealth Group, the parent company of Change Healthcare, speculated on the overall data breach costs. When all is said and done, the total tally may reach $1…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature