CISA Fact Sheet Aims To Aid Water Sector Cyber Preparedness

Last week, the Cybersecurity and Infrastructure Security Agency (CISA), along with EPA and the FBI, published a new fact sheet to aid drinking water and wastewater systems reduce cyber risks and improve resilience to cyberattacks.

The fact sheet, Top Actions for Securing Water Systems, contains eight recommended action items and guidance on how to access available resources. The actions are:

1. Use cyber hygiene services to reduce exposure of key assets to the public-facing internet.
2. Conduct a cybersecurity assessment on a regular basis to understand and prioritize existing vulnerabilities.
3. Require unique, strong, and complex passwords for all water systems, including connected infrastructure – DO NOT USE default passwords.
4. Create an inventory of software and hardware assets, which will help your security team understand what needs to be protected.
5. Develop and exercise cybersecurity incident response and recovery plans so everyone understands roles, responsibilities and reporting requirements.
6. Regularly backup OT/IT systems so you can recover to a known and safe state in the event of a compromise.
7. Mitigate known vulnerabilities, especially known exploited vulnerabilities, and keep all systems up to date with patches and security updates.
8. At a minimum, conduct annual cybersecurity awareness training to help all employees understand the importance of cybersecurity and how to prevent and respond to cyberattacks.

The release of the fact sheet comes just weeks after a House subcommittee held a hearing on water system cybersecurity, and policymakers have expressed increased interest in exploring the topic in recent months.