Attacks and Vulnerabilities
Critical infrastructure
News
Utilities: Energy & Power, Water, Waste

EU agency releases Water Security Plan to counter hostile actions on water supply systems

January 12, 2022
EU agency releases Water Security Plan to counter hostile actions on water supply systems

The Joint Research Centre at the European Reference Network for Critical Infrastructure Protection (ERNCIP) released on Tuesday its Water Security Plan in the form of a manual that deals with the implementation of security measures to counter hostile actions against the physical and cyber integrity of water supply systems. 

The manual provides a detailed basis for the creation and implementation of a Water Security Plan for drinking water systems, supporting water utility operators with the information and tools they need to develop a plan specifically for the security of their water supply systems. It has also been designed to provide the operator of a drinking water system with the basis for implementing specific measures to improve the security of the water system against malicious threats. 

The research leading to these results has received funding from the European Union as part of the ERNCIP project, the centre said.

Water security planning helps to identify security vulnerabilities and establish security measures to detect the intentional contamination of water supply systems, including a communication strategy to facilitate a fast and effective response, according to the manual. 

Strategic security planning and continuous implementation of security measures by critical water entities enable the member states to enhance and ensure the resilience of drinking water systems, the plan said. Cooperation and exchange of information are required between relevant entities, through water security planning, to carry out holistic risk assessments, take appropriate technical and organizational measures, and report disruptive incidents to national authorities, whether caused by physical or cyber breaches to the drinking water asset. 

The Water Security Plan covers, among various aspects, the implementation of early event detection systems and laboratory analyses after a contamination event, physical, chemical and cyber warning systems, surveillance and control measures for continuous monitoring, and further analytical support to be considered.

The plan pointed out that the need for interaction with emergency authorities requires security protocols to be established between the parties to guide what should be done when an emergency occurs. In particular, a protocol with the hospitals should be established for “syndromic surveillance,” determining the periodicity and the contacts of both entities for the exchange of information. 

It also said that a protocol with one or more laboratories should be established to include pre-defined procedures to be followed in case of physical/cyber impact to drinking water systems. The protocol should include access outside normal working hours and weekends, especially for water utilities that do not have their own laboratory or those who do but may need support for more specific analyses.

The manual also laid down that the water utility, through its nominated Water Security Plan Manager, with the support of the relevant external entities, is responsible for developing the security risk assessment of the water utility. “Risk assessment identifies threats of malicious activities that should be considered and managed, in conjunction with the vulnerabilities of the water system infrastructure, to identify the potential impact from an incident, in terms of casualties and numbers of people affected by loss of access to drinking water,” it added.

The Water Security Plan envisages that every drinking water utility should conduct a security vulnerability assessment to determine whether areas are in need of improved security measures, according to the identified vulnerabilities and the most relevant scenarios, in terms of likelihood and/or impact severity. The assessment should be carried out in collaboration with the national intelligence services and/or other security authorities, if necessary, using outside consultancy if the operator is not sufficiently experienced. 

Vulnerability assessment tools are available, and drinking water utilities should evaluate them and choose a tool appropriate to their needs and size. The use of a security vulnerability ‘Self-Assessment Tool’ and a ‘Certification of Completion’ form, which can be submitted to the security authorities and regulators as a confirmation that the assessment was completed, is strongly recommended for all water utilities, the Water Security Plan added.

Common elements of security vulnerability assessment and any evaluation method should incorporate the characterization of the drinking water system, identification and prioritization of adverse consequences to avoid, determination of critical assets that might be subject to malicious acts, assessment of the likelihood/impact of such malicious acts, evaluation of existing countermeasures, and analysis of current risk and development of a prioritized plan for risk reduction.

As a guiding tool for the identification of potential risk scenarios and the suggestion of corresponding measures for risk reduction, water utilities could take advantage of the risk identification database (RIDB) and the risk reduction measure database (RRMD), according to the manual. 

Early detection sensors, parameter analyses, and contamination warning systems play a key role in supporting water security through the protection of water supply systems and distribution networks, the Water Security Plan said. Online monitoring and sensor parameters are also central to the fast detection of contamination and should be integrated into normal operations. Locations of sensors need to be decided based on the security aspects, as well as other operational aspects such as vulnerabilities, and population at risk.

The centre concluded that the Water Security Plan must be kept active and updated periodically as necessary. Revised versions of the plan must be shared with staff and all stakeholders involved, on a need-to-know basis, immediately, ensuring all outdated copies of the plan are replaced, it added.

Similar cybersecurity concerns about the water sector have been raised in the U.S. by the research organization, Foundation for Defense of Democracies (FDD) in November.  The agency said that cybersecurity issues in the water sector have been brewing, which could affect health and human safety, national security, and economic stability. Significant cybersecurity deficiencies were observed in the drinking water and wastewater sectors as a result in part of structural challenges. These systems operate with limited budgets and even more limited cybersecurity personnel and expertise.

Best practices in cybersecurity for critical infrastructure sectors exist, but we must standardize and mandate them, especially across the water and wastewater sector, and ensure states and municipalities have the resources to meet them, Selena Larson and Lauren Zabierek, wrote in their recent analysis for the Belfer Center for Science and International Affairs. “These systems are vulnerable to attack, meaning that people living in affected communities could suffer, and we cannot wait for a catastrophic event to take action,” they added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience