The US government on Thursday published new guidance aimed at helping organizations in the water and wastewater (WWS) sector improve their cyber resilience and incident response capabilities.
Released in response to an increased interest by financially and politically motivated threat actors in the United States’ WWS sector, the guide outlines how water utility owners and operators can interact with federal partners to prepare for, mitigate, and respond to incidents.
“The WWS sector has been impacted by various cyber events, including unauthorized access, and ransomware. Continued compromises or failures of the WWS sector could cause cascading impacts across critical infrastructure,” the US cybersecurity agency CISA says.
The Water and Wastewater Sector – Incident Response Guide (PDF), created by CISA, the FBI, and the Environmental Protection Agency (EPA), with assistance from federal agencies and WWS sector partners, details the federal roles, resources, and responsibilities involved throughout the incident response lifecycle.
To improve the water sector’s cybersecurity, the document establishes guidelines for incident reporting, details available resources, services, and no-cost training, helps organizations build a cybersecurity baseline, and encourages them to interact with their local cyber communities.
In some of the previous cyberattacks targeting WWS organizations, threat actors deployed ransomware and attempted to tamper with the normal operations of facilities. In others, state-sponsored hackers compromised devices used at utilities.
To improve the cybersecurity of critical infrastructure, the US government encourages WWS organizations to provide information on cyberattacks to federal partners such as CISA, FBI, EPA, the Office of the Director of National Intelligence (ODNI), and the DHS Office of Intelligence and Analysis (I&A).
Furthermore, they should implement and strengthen their incident response plans, by ensuring that the process includes four stages: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.
According to the guidance, water facilities should start by building an incident response plan, raise the baseline, and engage with the community. When detecting an incident, they should evaluate the impacted systems, validate the attack, report it, and analyze it together with federal partners, which can also aid in sharing information and mitigating the attack.
“At the conclusion of any cyber incident, it is important for all relevant partners to conduct a retrospective analysis of both the incident and how responders handled it. The summation of post-incident activities determines ‘lessons learned’,” the guidance reads.
According to CISA, WWS utilities should prioritize resources towards ensuring the normal operation of their water systems, and not towards cybersecurity. However, they are encouraged to participate in collective response efforts whenever possible, regardless whether they have been the victims of an incident.