CISA’s water-sector guide puts incident response front and center

Water and wastewater utilities last week received new guidance for improving their response to cyberattacks from the US Cybersecurity and Infrastructure Security Agency (CISA), following a greater number of attacks by nation-state groups and cybercriminals targeting the underserved critical infrastructure.

CISA’s 27-page guide offered a series of important takeaways for utilities in the water sector, including detailed advice on how to create an effective incident response playbook.

The “Cyber Incident Response Guide for the Water and Wastewater Sector” aims to clarify the best practices for reporting cyber incidents, to connect utilities with resources to help improve their cybersecurity, and to encourage collaboration among the businesses in the sector. The United States has approximately 51,000 community water systems — 83% of which serve small communities accounting for only 8% of the US population — and 16,500 publicly owned treatment works for wastewater, according to CISA estimates (PDF).

Cybersecurity efforts for the water and wastewater sector (WWS), however, have been hampered by resource constraints, because utilities typically cannot pass costs on to customers and have tight budgets, says Dawn Cappelli, head of the OT-Cyber Emergency Readiness Team for industrial-cybersecurity firm Dragos. 

“Most of the water utilities in the country are small, and security is not generally a focus for them,” she says. “They are under-resourced, and issues like replacing old pipes and infrastructure tend to trump cybersecurity … [and] they do not have the expertise to understand the risk posed by cyberthreats in their OT environment, which are different than those in their IT environments.”

Water & Wastewater Cybersecurity Incidents on the Rise

The US government has made securing critical infrastructure a priority following a variety of painful cyber incidents, with the water and wastewater sector becoming the latest targeted sector. In February 2021, a water utility in Oldsmar, Fla., suffered an intrusion in which the attacker tried to raise the level of a caustic chemical more than 100-fold. Six months later, cybercriminals targeted two sewage treatment plants in Maine with ransomware. 

More recently, an Iranian-backed group attacked the Aliquippa Municipal Water Authority located in Pittsburgh in November, disrupting the monitoring and control systems for the water pressure to two towns. That attack turned out to be part of a spate of cyberattacks by pro-Iran assailants stretching back months that targeted various water controllers across the country.

And just this week, Veolia North America’s Municipal Water division acknowledged that ransomware actors had disrupted several of its IT systems, including those responsible for billing.

To read the complete article, visit Dark Reading.