February 14, 2024 By Jonathan Reed 3 min read

The water and wastewater sector (WWS) faces cybersecurity challenges that leave it wide open to attacks. In response, the CISA, EPA and FBI recently released joint guidance to the sector, citing variable cyber maturity levels and potential cybersecurity solutions.

The new Incident Response Guide (IRG) provides the water sector with information about the federal roles, resources and responsibilities for each stage of the cyber incident response lifecycle. Sector owners and operators can use this information to augment their incident response plans, establish baseline standards and enhance information-sharing.

Water safety under attack

In October 2023, cyber criminals allegedly linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) targeted water utilities in Pennsylvania. U.S. law enforcement agencies also revealed that ransomware gangs targeted multiple water and wastewater treatment facilities between 2019 and 2021. To date, no attacks have affected the safety of drinking water.

Given the ongoing risk, the new IRG identifies key federal partners where the sector can seek assistance. These include entities such as CISA, EPA, FBI, the Office of the Director of National Intelligence (ODNI) and the DHS Office of Intelligence and Analysis (I&A).

Incident response guide recommendations

For incident response, the new IRG outlines specific practices, which include:

  • Preparation: CISA encourages WWS utilities to consult the agency’s Cyber Performance Goals to strengthen their cybersecurity baseline.
  • Detection and analysis:  Federal agencies may be able to provide no-cost tools and services to impacted utilities. The FBI and CISA may provide onsite and/or virtual technical analysis and support to an organization after receiving reporting.
  • Containment, eradication and recovery: CISA may provide vital information to WWS utility owners and operators on defensive measures to take to contain and eradicate unauthorized threat actors within their assets.
  • Post-incident activity: CISA and its interagency partners can collect data from impacted organizations, anonymize it and share the anonymized data broadly. This data may include relevant TTP, IOCs and other technical data that may support collective defense.

The challenge for small and rural communities

The U.S. water sector has been described as “target-rich, resource-poor” due to the limited financial and technical resources available. And systems in small and rural communities are especially vulnerable.

At a recent hearing by the Committee on Energy and Commerce, Rick Jeffares, President of the Georgia Rural Water Association, said that over 91% of the community water systems in this country serve less than 10,000 people. As per Jeffares, small and rural communities often have “difficulty complying with complicated federal mandates and providing safe affordable drinking water and sanitation due to limited economies of scale and lack of technical expertise.”

Jeffares also said that vendors that receive federal dollars and sell or install automated equipment should be “required by standard protocols established by the EPA and other agencies to better protect water utilities from cyberattacks.”

At the hearing, the need to get the young people involved was also emphasized. “Rural Water has been doing this through a registered apprenticeship program, and it’s working, so we would like to expand. We anticipate the next generation of water operators will have a higher level of computer and cyber sophistication,” said Jeffares.

Lack of funding

Undoubtedly, a large part of the nation’s water safety effort will depend on financial support. The Infrastructure Investment and Jobs Act of 2021 authorized $250 million over five years for EPA grant assistance to public water systems serving communities of 10,000 or more people. The initiative was penned to support projects that reduce water system cybersecurity risks.

However, Congress has only appropriated $5 million for the program, according to Scott Dewhirst, superintendent and chief operating officer of Tacoma Water.

“Fully funding the program — or at least providing a level of appropriations closer to its annual $50 million authorization — would greatly expand the number of water systems that can tap these resources to improve their cyber defenses,” Dewhirst told lawmakers.

Clearly, the nation’s water supply is at risk. Protective initiatives must be acted upon without delay.

More from News

CISA releases landmark cyber incident reporting proposal

2 min read - Due to ongoing cyberattacks and threats, critical infrastructure organizations have been on high alert. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government. The 447-page Notice of Proposed Rulemaking (NPRM) has been released and is open for public feedback through the Federal Register. CISA was required to develop this report by the Cyber Incident Reporting for Critical Infrastructure Act of…

Recent developments and updates in Biden cyber policy

3 min read - The White House recently released its budget for the 2025 fiscal year, which supports the government’s commitment to cybersecurity. The cybersecurity funding allocations line up with the FY 2025 cybersecurity spending priorities released last year that included the following pillars: Defend critical infrastructure Disrupt and dismantle threat actors Shape market forces to drive security and resilience Invest in a resilient future Forge international partnerships to pursue shared goals. In 2023, the White House released a 35-page document detailing the new…

Change Healthcare cyberattack causes dire billing crisis

3 min read - Last month’s cyberattack on Change Healthcare, a sizable unit of UnitedHealth Group, brought new repercussions rarely seen in a cyberattack. As a result of the threat actor’s actions, healthcare systems and providers suffered cash flow issues, which resulted in providers being unable to pay their rent, owners dipping into their personal savings and patients being prevented from receiving important medications. Most importantly, patients are unable to get insurance approval for procedures, surgeries and prescriptions, which can affect their health outcomes.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today