The water and wastewater utilities in the United States have received new guidelines from the US Cybersecurity and Infrastructure Security Agency (CISA) to enhance their response to cyberattacks. This move follows an increased number of attacks by nation-state groups and cybercriminals specifically targeting the underserved critical infrastructure in the sector.
CISA’s 27-page guide aims to provide important recommendations for utilities in the water sector. It includes detailed advice on creating an effective incident response playbook. The “Cyber Incident Response Guide for the Water and Wastewater Sector” seeks to clarify the best practices for reporting cyber incidents, connect utilities with resources to improve their cybersecurity, and encourage collaboration among businesses in the sector. According to CISA estimates, there are approximately 51,000 community water systems and 16,500 publicly-owned treatment works for wastewater in the United States. However, cybersecurity efforts for the water and wastewater sector have been hindered by resource constraints, as most utilities cannot pass costs on to their customers and operate with tight budgets.
Dawn Cappelli, who heads the OT-Cyber Emergency Readiness Team for industrial-cybersecurity firm Dragos, stated that security is not generally a focus for small water utilities. She added that they are under-resourced and prioritize issues like replacing old pipes and infrastructure over cybersecurity. Additionally, they lack expertise in understanding the risk posed by cyber threats in their operational technology (OT) environment, which is different from their information technology (IT) environment.
The United States government has made securing critical infrastructure a priority in light of a series of cyber incidents targeting the water and wastewater sector. Recent attacks include an intrusion on a water utility in Florida, where the attacker attempted to raise the level of a caustic chemical, and the ransomware attack on two sewage treatment plants in Maine. Additionally, an Iranian-backed group targeted the Aliquippa Municipal Water Authority, disrupting water pressure monitoring and control systems. Furthermore, Veolia North America’s Municipal Water division confirmed that ransomware actors had disrupted several of its IT systems, including those responsible for billing. The attacks on the water and wastewater sector have raised concerns, as these incidents not only affect citizens but other critical infrastructure sectors as well.
The document provides specific recommendations for water and wastewater utilities to improve their response to cyber incidents. It advises utilities to prepare by creating an incident response plan, improve detection capabilities, and plan for containment, eradication, and recovery. Moreover, the document specifies the importance of creating a post-incident playbook to retain data and evidence and distribute guidance on lessons learned.
Despite the guidance provided by CISA, getting water and wastewater utilities to prioritize cybersecurity remains challenging. Fixing aging water infrastructure, ensuring the water supply, and financing capital improvements are top concerns, while cybersecurity issues rank lower on the list of critical issues. Additionally, given the decentralized and autonomous nature of water and wastewater utilities, they often operate in isolated geographies, making it difficult for them to prioritize cybersecurity. Most utilities are unable to pass their cybersecurity expenditures on to customers, further complicating the issue.
In the effort to address the cybersecurity challenges faced by the water and wastewater sector, organizations are encouraged to first plan and implement the recommendations outlined in the “15 Cybersecurity Fundamentals for Water and Wastewater Utilities” report published by the Water Information Sharing and Analysis Center (WaterISAC). This approach allows each water utility to develop a strategy tailored to their unique considerations, including their criticality, technologies, vendors, resources, and geographic location. While the cybersecurity challenges in the water and wastewater sector are significant, taking proactive steps to improve response capabilities and collaborate with industry partners can help enhance cybersecurity resilience in the critical infrastructure sector.