Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

CISA & FBI Share How to Secure Water Systems

What Happened

On February 21, the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the Federal Bureau of Investigation (FBI) released a crucial fact sheet titled “Top Cyber Actions for Securing Water Systems.”

This fact sheet outlines key actions that Water and Wastewater Systems (WWS) Sector entities can take to protect against malicious cyber activities. It offers actionable guidance to bolster the security and resilience of water systems across the nation.

About the Fact Sheet

The fact sheet provides a detailed blueprint for enhancing the cybersecurity posture of Water and Wastewater Systems (WWS) Sector entities. It emphasizes the critical need for these entities to adopt a proactive stance against the backdrop of increasing cyber threats. The document lists eight actionable steps designed to safeguard water systems from malicious cyber activities:

  • Reduce Exposure to the Public-Facing Internet: Limiting water systems’ direct access to the internet to reduce potential entry points for cyberattacks.
  • Conduct Regular Cybersecurity Assessments: Performing thorough evaluations of cybersecurity practices to identify and address vulnerabilities.
  • Change Default Passwords Immediately: Replacing factory-set or default passwords with strong, unique alternatives to prevent unauthorized access.
  • Conduct an Inventory of Operational Technology/Information Technology Assets: Keeping a detailed record of all IT and OT assets for better management and security oversight.
  • Develop and Exercise Cybersecurity Incident Response and Recovery Plans: Establishing and regularly practicing response procedures to ensure preparedness for potential cybersecurity incidents.
  • Backup OT/IT Systems: Regularly creating backups of critical systems and data to enable quick recovery from cyber incidents.
  • Reduce Exposure to Vulnerabilities: Applying timely patches and updates to software and systems to fix known security flaws.
  • Conduct Cybersecurity Awareness Training: Educating staff on the risks associated with cyber threats and promoting best practices for cybersecurity.

The fact sheet encourages organizations to leverage available resources and seek support from federal agencies like CISA and EPA in executing these strategies. This guidance underscores the agencies’ commitment to the principle that robust cybersecurity practices are essential for the protection and reliability of the nation’s water infrastructure.

Cyberattacks Targeting Water Systems in the U.S.

Recent cyberattacks on U.S. water systems have underscored their vulnerability.

For instance, the Municipal Water Authority of Aliquippa in Pennsylvania fell victim to an attack by Iranian Cyber Av3ngers group in November 2023. Although the attack, which targeted Israeli-made technology, did not disrupt water services, it highlighted the risks facing U.S. water utilities. Please see our news article for more information about this cyberattack.

Also, in 2021, ransomware attacks targeted SCADA systems at water facilities in Nevada, Maine, and California. These attacks showcase the cyber vulnerabilities of the water and wastewater systems. While these incidents did not lead to significant disruptions, they emphasized the critical need for robust cybersecurity measures.

Furthermore, in January 2021 and February 2021, hackers attempted to poison water treatment plants in the San Francisco Bay Area and Florida, respectively. Fortunately, both attempts failed.

Accordingly, CISA released an alert about the ongoing cyber threats to US water and wastewater systems in 2021. It also included mitigating actions.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.