CISA Issues New Cybersecurity Guidance For Water And Wastewater Utilities
As drinking water and wastewater treatment utilities become bigger targets for high-tech criminals, the Cybersecurity and Infrastructure Agency (CISA) has developed new guidance on how best to prevent and react to such attacks.
“The incidence response guide, which the U.S. cybersecurity agency published jointly with the FBI and Environmental Protection Agency, outlined cybersecurity best practices for water and wastewater sector (WWS) utility operators as well as how said operators can expect to work with the federal government,” TechTarget reported.
The guide was put together in collaboration with 25 organizations in all, including the American Water Works Association and numerous tech-security firms. It includes sections focused on resources from CISA and the FBI about the help they can offer utility operations in the event of a cyberattack and it has a particular focus on improved readiness.
“In one dedicated preparation, the cybersecurity agency urged information sharing, building an incident response plan, raising each organization’s baseline security hygiene and building a WWS ‘cyber community,’” according to TechTarget. “Examples of baseline security hardening include segmentation of IT and operational technology systems, keeping consistent and sufficient logging practices, and maintaining system backups.”
High-profile ransomware attacks on drinking water and wastewater systems have been increasing, driving federal officials to develop new guidance and stricter requirements in several ways. Recently, a water system in Pennsylvania was breached by hackers tied to an Iranian national group.
Despite the rising threats, water and wastewater systems may be difficult to fortify.
“Getting water and wastewater utilities to prioritize cybersecurity may be difficult,” according to the cybersecurity news site DarkReading. “The problem for water and wastewater utilities … is that they are regulated utilities, they are largely decentralized and autonomous, and often operate in isolated geographies… Given those conditions, the sector has performed about average compared to other critical infrastructure sectors.”
As the effort behind CISA’s new guidance and these emerging resources show, average is no longer going to be good enough to protect such critical systems.
To read more about how drinking water and wastewater utilities are preparing for cyber threats, visit Water Online’s Resiliency Solutions Center.