February 14, 2024 By Jonathan Reed 3 min read

The water and wastewater sector (WWS) faces cybersecurity challenges that leave it wide open to attacks. In response, the CISA, EPA and FBI recently released joint guidance to the sector, citing variable cyber maturity levels and potential cybersecurity solutions.

The new Incident Response Guide (IRG) provides the water sector with information about the federal roles, resources and responsibilities for each stage of the cyber incident response lifecycle. Sector owners and operators can use this information to augment their incident response plans, establish baseline standards and enhance information-sharing.

Water safety under attack

In October 2023, cyber criminals allegedly linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) targeted water utilities in Pennsylvania. U.S. law enforcement agencies also revealed that ransomware gangs targeted multiple water and wastewater treatment facilities between 2019 and 2021. To date, no attacks have affected the safety of drinking water.

Given the ongoing risk, the new IRG identifies key federal partners where the sector can seek assistance. These include entities such as CISA, EPA, FBI, the Office of the Director of National Intelligence (ODNI) and the DHS Office of Intelligence and Analysis (I&A).

Incident response guide recommendations

For incident response, the new IRG outlines specific practices, which include:

  • Preparation: CISA encourages WWS utilities to consult the agency’s Cyber Performance Goals to strengthen their cybersecurity baseline.
  • Detection and analysis:  Federal agencies may be able to provide no-cost tools and services to impacted utilities. The FBI and CISA may provide onsite and/or virtual technical analysis and support to an organization after receiving reporting.
  • Containment, eradication and recovery: CISA may provide vital information to WWS utility owners and operators on defensive measures to take to contain and eradicate unauthorized threat actors within their assets.
  • Post-incident activity: CISA and its interagency partners can collect data from impacted organizations, anonymize it and share the anonymized data broadly. This data may include relevant TTP, IOCs and other technical data that may support collective defense.

The challenge for small and rural communities

The U.S. water sector has been described as “target-rich, resource-poor” due to the limited financial and technical resources available. And systems in small and rural communities are especially vulnerable.

At a recent hearing by the Committee on Energy and Commerce, Rick Jeffares, President of the Georgia Rural Water Association, said that over 91% of the community water systems in this country serve less than 10,000 people. As per Jeffares, small and rural communities often have “difficulty complying with complicated federal mandates and providing safe affordable drinking water and sanitation due to limited economies of scale and lack of technical expertise.”

Jeffares also said that vendors that receive federal dollars and sell or install automated equipment should be “required by standard protocols established by the EPA and other agencies to better protect water utilities from cyberattacks.”

At the hearing, the need to get the young people involved was also emphasized. “Rural Water has been doing this through a registered apprenticeship program, and it’s working, so we would like to expand. We anticipate the next generation of water operators will have a higher level of computer and cyber sophistication,” said Jeffares.

Lack of funding

Undoubtedly, a large part of the nation’s water safety effort will depend on financial support. The Infrastructure Investment and Jobs Act of 2021 authorized $250 million over five years for EPA grant assistance to public water systems serving communities of 10,000 or more people. The initiative was penned to support projects that reduce water system cybersecurity risks.

However, Congress has only appropriated $5 million for the program, according to Scott Dewhirst, superintendent and chief operating officer of Tacoma Water.

“Fully funding the program — or at least providing a level of appropriations closer to its annual $50 million authorization — would greatly expand the number of water systems that can tap these resources to improve their cyber defenses,” Dewhirst told lawmakers.

Clearly, the nation’s water supply is at risk. Protective initiatives must be acted upon without delay.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today