What Happened
On February 21, the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the Federal Bureau of Investigation (FBI) released a crucial fact sheet titled “Top Cyber Actions for Securing Water Systems.”
This fact sheet outlines key actions that Water and Wastewater Systems (WWS) Sector entities can take to protect against malicious cyber activities. It offers actionable guidance to bolster the security and resilience of water systems across the nation.
About the Fact Sheet
The fact sheet provides a detailed blueprint for enhancing the cybersecurity posture of Water and Wastewater Systems (WWS) Sector entities. It emphasizes the critical need for these entities to adopt a proactive stance against the backdrop of increasing cyber threats. The document lists eight actionable steps designed to safeguard water systems from malicious cyber activities:
- Reduce Exposure to the Public-Facing Internet: Limiting water systems’ direct access to the internet to reduce potential entry points for cyberattacks.
- Conduct Regular Cybersecurity Assessments: Performing thorough evaluations of cybersecurity practices to identify and address vulnerabilities.
- Change Default Passwords Immediately: Replacing factory-set or default passwords with strong, unique alternatives to prevent unauthorized access.
- Conduct an Inventory of Operational Technology/Information Technology Assets: Keeping a detailed record of all IT and OT assets for better management and security oversight.
- Develop and Exercise Cybersecurity Incident Response and Recovery Plans: Establishing and regularly practicing response procedures to ensure preparedness for potential cybersecurity incidents.
- Backup OT/IT Systems: Regularly creating backups of critical systems and data to enable quick recovery from cyber incidents.
- Reduce Exposure to Vulnerabilities: Applying timely patches and updates to software and systems to fix known security flaws.
- Conduct Cybersecurity Awareness Training: Educating staff on the risks associated with cyber threats and promoting best practices for cybersecurity.
The fact sheet encourages organizations to leverage available resources and seek support from federal agencies like CISA and EPA in executing these strategies. This guidance underscores the agencies’ commitment to the principle that robust cybersecurity practices are essential for the protection and reliability of the nation’s water infrastructure.
Cyberattacks Targeting Water Systems in the U.S.
Recent cyberattacks on U.S. water systems have underscored their vulnerability.
For instance, the Municipal Water Authority of Aliquippa in Pennsylvania fell victim to an attack by Iranian Cyber Av3ngers group in November 2023. Although the attack, which targeted Israeli-made technology, did not disrupt water services, it highlighted the risks facing U.S. water utilities. Please see our news article for more information about this cyberattack.
Also, in 2021, ransomware attacks targeted SCADA systems at water facilities in Nevada, Maine, and California. These attacks showcase the cyber vulnerabilities of the water and wastewater systems. While these incidents did not lead to significant disruptions, they emphasized the critical need for robust cybersecurity measures.
Furthermore, in January 2021 and February 2021, hackers attempted to poison water treatment plants in the San Francisco Bay Area and Florida, respectively. Fortunately, both attempts failed.
Accordingly, CISA released an alert about the ongoing cyber threats to US water and wastewater systems in 2021. It also included mitigating actions.
- Russian Cyberstrike: Ukrainian Telecom Faces Devastation and Espionage
- Joomla! Alert: Address Exploited Vulnerability Immediately
- Highlights from the 2023 Fortinet Security Summit
- AI Innovations Enhance Red Teaming Strategies
- NSA Issues Strategic Insights for Cloud Security
- Google Awarded $10M in Bug Bounty Rewards in 2024