Connect with us

Hi, what are you looking for?



US Government Issues Guidance on Securing Water Systems

CISA, FBI and EPA release guidance on how Water and Wastewater Systems Sector entities can secure their environments.

The US government on Wednesday released new guidance on the actions that water and wastewater (WWS) sector entities should take to improve the resilience of their networks to cyberattacks.

In addition to instructions, the document, titled Top Cyber Actions for Securing Water Systems (PDF), provides information on available free resources that can help WWS organizations assess and improve their security posture.

To minimize cyber risks to water systems, WWS entities are advised to reduce internet exposure by removing OT devices from the public access, conduct regular assessments to identify vulnerable OT and IT systems and prioritize patching, and improve password hygiene by changing default passwords to unique, complex ones and implementing multi-factor authentication (MFA).

Furthermore, they should inventory OT and IT assets, focusing on software and hardware assets exposed to the internet, and should regularly backup OT and IT systems, storing the backups in isolated locations.

All systems and applications, the document notes, should be updated in a timely manner, and organizations should prioritize OT patches in line with the US cybersecurity agency CISA’s Known Exploited Vulnerabilities catalog.

Finally, organizations should conduct cybersecurity awareness training at least once a year, the document, authored by CISA, the Environmental Protection Agency (EPA), and the FBI, reads.

Organizations that lack the necessary resources to fully implement a cybersecurity resilience plan can access free programs, tools, services, and training that CISA and EPA provide, including a free vulnerability scanner tailored to water utilities.

All WWS entities and critical infrastructure organizations are advised to review the guide and implement the recommended actions to improve their cyber resilience.

Advertisement. Scroll to continue reading.

The new guidance was published roughly one month after CISA, EPA, and the FBI released an incident response guide to help WWS entities improve their cyber resilience and incident response capabilities.

Related: CISA Flags Gaps in Healthcare Org’s Security Posture, Issues Security Guidance

Related: NSA Issues Guidance on Incorporating SBOMs to Improve Cybersecurity

Related: Five Eyes Agencies Publish Guidance on Eliminating Memory Safety Bugs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Cody Barrow has been appointed the new CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...


Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...


Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.


US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.