US agencies release joint fact sheet to strengthen cybersecurity in water and wastewater systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the Federal Bureau of Investigation (FBI) have jointly published a fact sheet, providing the water and wastewater systems (WWS) sector entities with detailed steps to enhance the security of water systems against cyber threats. The move comes in the wake of escalating cybersecurity concerns surrounding WWS, often leading to potential disruptions to operations and safety risks posed by these threats. 

Titled ‘Top Cyber Actions for Securing Water Systems,’ the fact sheet offers practical guidance on several key actions, including minimizing public internet exposure, performing regular cybersecurity assessments, changing default passwords promptly, cataloging operational technology/information technology (OT/IT) assets, developing and practicing cybersecurity incident response and recovery plans, backing up OT/IT systems, mitigating vulnerabilities, and conducting cybersecurity awareness training. These measures aim to fortify the sector’s defenses against cyber attacks.

The initiative also highlights the top cyber actions water systems can take to reduce cyber risk and improve resilience to cyberattacks and provides free services, resources, and tools to support these actions, which can be taken concurrently.

When it comes to reducing exposure to the public-facing Internet, the fact sheet recommends using cyber hygiene services to reduce exposure of key assets to the public-facing Internet. OT devices such as controllers and remote terminal units (RTUs) are easy targets for cyberattacks when connected to the internet. It also puts forward regularly conducting cybersecurity assessments to understand the existing vulnerabilities within OT and IT systems. These evaluations will enable asset owners and operators to identify, assess, and prioritize threats to vulnerabilities in both OT and IT networks. 

On default passwords, the fact sheet identified the requirement for unique, strong, and complex passwords across water systems, including connected infrastructure. “Weak default or insecure passwords are easy to discover and exploit, and they may allow cyber threat actors to make changes to a water system’s operational processes. This can negatively impact public health and safety. Change default or insecure passwords and implement multifactor authentication (MFA) where possible. Focus on deploying MFA to IT infrastructure, such as email, to make it difficult for threat actors to access OT systems. Consider asking manufacturers to eliminate default passwords,” it added. 

The fact sheet called upon asset owners and operators across the water sector to create an inventory of software and hardware assets to help understand what needs to be protected. It suggests focusing initial efforts on internet-connected devices and devices where manual operations are not possible and using monitoring to identify the devices communicating on the network. 

When it comes to developing cybersecurity incident response and recovery plans, the document suggests understanding incident response actions, roles and responsibilities, as well as who to contact and how to report a cyber incident before one occurs to ensure readiness against potential targeting. It cites EPA’s Cybersecurity Action Checklist and CISA’s Incident Response Plan (IRP) Basics help to develop cyber incident response plans. 

On exercising, it recommends testing the incident response plan annually to ensure that all operators are familiar with roles and responsibilities. It also pointed to the CISA Tabletop Exercise Package (CTEP) and EPA tabletop exercise (TTX) scenario tools that assist critical infrastructure owners and operators in developing their own tabletop exercises to meet their specific needs.

The fact sheet further emphasizes the critical practice of regularly backing up OT/IT systems. This ensures that asset owners and operators can restore systems to a secure, verified state following a security breach. It is essential to not only perform these backups but also to rigorously test the backup procedures to confirm their effectiveness. Additionally, backups should be isolated from network connections to prevent them from being compromised. 

To enhance the robustness of the backup strategy, the fact sheet advocates for the adoption of the NIST 3-2-1 rule. This rule advises maintaining three copies of data: one primary and two backups, storing these backups on two distinct types of media and keeping one backup copy offsite to safeguard against local disasters or breaches.

The fact sheet also addressed mitigating known vulnerabilities and keeping all systems up to date with patches and security updates. It asks for prioritization of OT patches following CISA’s Known Exploited Vulnerabilities (KEV) catalog during scheduled downtime of OT equipment; prioritize patches in IT, as applicable. It also references CISA’s ‘Secure our World Campaign’ that guides updating software.

The document advised asset owners and operators to conduct cybersecurity awareness training annually, at a minimum, to help all employees understand the importance of cybersecurity and how to prevent and respond to cyberattacks.

Earlier this month, the U.S. Congressional Subcommittee on Cybersecurity and Infrastructure Protection conducted a hearing that addressed the concerns surrounding water and wastewater systems in the country. The focus of the discussion will be on the potential disruptions to operations and safety risks posed by these threats. Additionally, the hearing aims to explore the necessary measures required to enhance the security of OT infrastructure in the water sector.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.