Attacks and Vulnerabilities
CISA
News
Utilities: Energy & Power, Water, Waste
Vulnerabilities

CISA and partners publish a fact sheet on free cyber vulnerability scanning for water utilities

September 12, 2023
CISA and partners publish a fact sheet on free cyber vulnerability scanning for water utilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), developed in coordination with the Environmental Protection Agency (EPA), Water Sector Coordinating Council (WSCC), and the Association of State Drinking Water Administrators (ASDWA), a free cyber vulnerability scanning for water utilities fact sheet. The document explains the process and benefits of signing up for CISA’s free vulnerability scanning program, intending to share the benefits and steps to enrolling in the vulnerability scanning service. 

CISA’s vulnerability scanning can help the utility identify and address cybersecurity weaknesses that an attacker could use to impact their system. The benefits of this service include identifying internet-accessible assets and identifying vulnerabilities in the utility’s assets connected to the internet, including Known Exploited Vulnerabilities (KEVs) and internet-exposed services commonly used for initial access by threat actors and some ransomware gangs. 

The service also provides weekly reports on scanning status and recommendations for mitigating identified vulnerabilities; and delivers a significant reduction in identified vulnerabilities in the first few months of scanning for newly enrolled water utilities, with ongoing detection and reporting with continuous scanning for new vulnerabilities. 

“CISA uses automated tools to conduct vulnerability scanning on your external networks. These tools look for vulnerabilities and weak configurations that adversaries could use to conduct a cyberattack,” the document outlined. “CISA’s scanning provides an external, non-intrusive review of internet-accessible systems. The scanning does not reach your private network and cannot make any changes. CISA will send you weekly reports with information on known vulnerabilities found on your internet-accessible assets, week-to-week comparisons, and recommended mitigations.” 

The service can also be configured so that ad-hoc alerts can be received for any urgent findings. “CISA does not share any attributable information without written and agreed consent from the stakeholder. CISA summarizes aggregate, anonymized data to develop non-attributable reports for analysis purposes,” it added.

The various phases included in CISA’s vulnerability scanning enrollment are pre-planning, planning, execution, and reporting. 

The pre-planning and planning phase involves the stakeholders. It covers requests for vulnerability scanning service, and signs and returns documents, while the planning phase provides a target list (scope). Under the execution phase, the CISA performs an initial scan of the submitted scope; and rescans stakeholder’s target list at the following intervals based on the highest severity of identified vulnerabilities – 12 hours for ‘critical’ and ‘known exploited,’ 24 hours for ‘high,’ four days for ‘medium,’ six days for ‘low,’ and seven days for ‘no vulnerabilities.’

Lastly, under the reporting phase, CISA sends ad-hoc alerts within 24 hours of detecting a new ‘urgent’ finding; delivers a weekly report to the stakeholder; provides detailed findings in consumable format to the stakeholder; and provides vulnerability mitigation recommendations to a stakeholder.

To get started, stakeholders must email ‘[email protected]’ with the subject line ‘Requesting Vulnerability Scanning Services,’ the document said. “Include the name of your utility, a point of contact with an email address, and the physical address of your utility’s headquarters.”

Then, CISA will reply with a Service Request Form and Vulnerability Scanning Acceptance Letter to obtain the necessary information about the utility and its authorization to scan its public networks. Subsequently, scanning will begin within 10 days of receiving all completed forms.

Last month, the U.S. President’s National Infrastructure Advisory Council (NIAC) reported that water utilities face challenges in recruiting, training, and retaining their workers. The agency added that about one-third of the current water sector workforce will be eligible to retire in the next ten years. Technologies used in the water sector are becoming more advanced. New water quality regulations such as the limits on forever chemicals and threats such as cybersecurity compromises will require a more specialized workforce.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

CISA and FBI issue secure by design alert to urge manufacturers to remove directory traversal vulnerabilities
CISA and FBI issue secure by design alert to urge manufacturers to remove directory traversal vulnerabilities
GAO report indicates that NASA should update spacecraft acquisition policies and standards for cybersecurity
GAO report indicates that NASA should update spacecraft acquisition policies and standards for cybersecurity
Sygnia
Sygnia aligns with NVIDIA, revolutionizes OT security for energy and industrial sectors
Armexa adds John Cusimano as vice president to its leadership team
Armexa, ISA partner to offer standards-based OT cybersecurity training
House Committee emphasizes importance of CIRCIA implementation for cyber preparedness
House Committee emphasizes importance of CIRCIA implementation for cyber preparedness
Global cybersecurity agencies issue alert on threat to OT systems from pro-Russia hacktivist activity
Global cybersecurity agencies issue alert on threat to OT systems from pro-Russia hacktivist activity
Insane Cyber
Insane Cyber closes $4.2 million funding round to safeguard critical infrastructure installations
Building a Culture of Cyber Resilience in Manufacturing (WEF)
WEF playbook addresses cyber resilience in manufacturing and supply chains, provides three guiding principles
DOE, EPA support NSM-22 focused on critical infrastructure security and resilience
DOE, EPA support NSM-22 focused on critical infrastructure security and resilience
White House releases National Security Memorandum on critical infrastructure security and resilience
White House releases National Security Memorandum on critical infrastructure security and resilience