The water and wastewater sector (WWS) faces cybersecurity challenges that leave it wide open to attacks. In response, the CISA, EPA and FBI recently released joint guidance to the sector, citing variable cyber maturity levels and potential cybersecurity solutions.

The new Incident Response Guide (IRG) provides the water sector with information about the federal roles, resources and responsibilities for each stage of the cyber incident response lifecycle. Sector owners and operators can use this information to augment their incident response plans, establish baseline standards and enhance information-sharing.

Water safety under attack

In October 2023, cyber criminals allegedly linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) targeted water utilities in Pennsylvania. U.S. law enforcement agencies also revealed that ransomware gangs targeted multiple water and wastewater treatment facilities between 2019 and 2021. To date, no attacks have affected the safety of drinking water.

Given the ongoing risk, the new IRG identifies key federal partners where the sector can seek assistance. These include entities such as CISA, EPA, FBI, the Office of the Director of National Intelligence (ODNI) and the DHS Office of Intelligence and Analysis (I&A).

Incident response guide recommendations

For incident response, the new IRG outlines specific practices, which include:

• Preparation: CISA encourages WWS utilities to consult the agency’s Cyber Performance Goals to strengthen their cybersecurity baseline.
• Detection and analysis:  Federal agencies may be able to provide no-cost tools and services to impacted utilities. The FBI and CISA may provide onsite and/or virtual technical analysis and support to an organization after receiving reporting.
• Containment, eradication and recovery: CISA may provide vital information to WWS utility owners and operators on defensive measures to take to contain and eradicate unauthorized threat actors within their assets.
• Post-incident activity: CISA and its interagency partners can collect data from impacted organizations, anonymize it and share the anonymized data broadly. This data may include relevant TTP, IOCs and other technical data that may support collective defense.

The challenge for small and rural communities

The U.S. water sector has been described as “target-rich, resource-poor” due to the limited financial and technical resources available. And systems in small and rural communities are especially vulnerable.

At a recent hearing by the Committee on Energy and Commerce, Rick Jeffares, President of the Georgia Rural Water Association, said that over 91% of the community water systems in this country serve less than 10,000 people. As per Jeffares, small and rural communities often have “difficulty complying with complicated federal mandates and providing safe affordable drinking water and sanitation due to limited economies of scale and lack of technical expertise.”

Jeffares also said that vendors that receive federal dollars and sell or install automated equipment should be “required by standard protocols established by the EPA and other agencies to better protect water utilities from cyberattacks.”

At the hearing, the need to get the young people involved was also emphasized. “Rural Water has been doing this through a registered apprenticeship program, and it’s working, so we would like to expand. We anticipate the next generation of water operators will have a higher level of computer and cyber sophistication,” said Jeffares.

Lack of funding

Undoubtedly, a large part of the nation’s water safety effort will depend on financial support. The Infrastructure Investment and Jobs Act of 2021 authorized $250 million over five years for EPA grant assistance to public water systems serving communities of 10,000 or more people. The initiative was penned to support projects that reduce water system cybersecurity risks.

However, Congress has only appropriated $5 million for the program, according to Scott Dewhirst, superintendent and chief operating officer of Tacoma Water.

“Fully funding the program — or at least providing a level of appropriations closer to its annual $50 million authorization — would greatly expand the number of water systems that can tap these resources to improve their cyber defenses,” Dewhirst told lawmakers.

Clearly, the nation’s water supply is at risk. Protective initiatives must be acted upon without delay.