The US government on Wednesday released new guidance on the actions that water and wastewater (WWS) sector entities should take to improve the resilience of their networks to cyberattacks.
In addition to instructions, the document, titled Top Cyber Actions for Securing Water Systems (PDF), provides information on available free resources that can help WWS organizations assess and improve their security posture.
To minimize cyber risks to water systems, WWS entities are advised to reduce internet exposure by removing OT devices from the public access, conduct regular assessments to identify vulnerable OT and IT systems and prioritize patching, and improve password hygiene by changing default passwords to unique, complex ones and implementing multi-factor authentication (MFA).
Furthermore, they should inventory OT and IT assets, focusing on software and hardware assets exposed to the internet, and should regularly backup OT and IT systems, storing the backups in isolated locations.
All systems and applications, the document notes, should be updated in a timely manner, and organizations should prioritize OT patches in line with the US cybersecurity agency CISA’s Known Exploited Vulnerabilities catalog.
Finally, organizations should conduct cybersecurity awareness training at least once a year, the document, authored by CISA, the Environmental Protection Agency (EPA), and the FBI, reads.
Organizations that lack the necessary resources to fully implement a cybersecurity resilience plan can access free programs, tools, services, and training that CISA and EPA provide, including a free vulnerability scanner tailored to water utilities.
All WWS entities and critical infrastructure organizations are advised to review the guide and implement the recommended actions to improve their cyber resilience.
The new guidance was published roughly one month after CISA, EPA, and the FBI released an incident response guide to help WWS entities improve their cyber resilience and incident response capabilities.
Related: CISA Flags Gaps in Healthcare Org’s Security Posture, Issues Security Guidance
Related: NSA Issues Guidance on Incorporating SBOMs to Improve Cybersecurity
Related: Five Eyes Agencies Publish Guidance on Eliminating Memory Safety Bugs