The new area of target for cyber criminals are water facilities. Several water supply units in the US have been under attack and the risk continues to grow. Due to the increase in these attacks in the last few years, the US government has released a new set of guidelines to safeguard critical infrastructure within the Water and Wastewater Sector (WWS). The new guidance aims to improve cyber resilience and incident response capabilities of organizations in the WWS.
A few notable attacks over the years have been the Rye Brook water facility that fell victim to a ransomware attack, the Oldsmar, Florida attack where a hacker attempted to manipulate the chemical levels in the water treatment system, and Aliquippa, Pennsylvania attack where hackers gained control of a system associated with a booster station and exploited its known vulnerabilities. These are just a few attacks among several others that have put water facilities in the US at risk.
The new guidelines published by the US government describes how water utility owners and operators can work with federal partners to prepare for, mitigate, and respond to crises. It was released in response to an increased interest by financially and politically motivated threat actors in the US WWS sector.
Just this year alone, many cyber events, such as ransomware and unauthorized access, have affected the WWS industry. The US cybersecurity organization CISA warns that ongoing breaches or failures in the WWS industry might have a domino effect on critical infrastructure.
CISA, the FBI, and the Environmental Protection Agency (EPA), with help from federal agencies and WWS sector partners, created the Water and Wastewater Sector – Incident Response Guide, which outlines the federal roles, resources, and responsibilities involved throughout the incident response lifecycle.
The document aims to enhance the cybersecurity of the water industry by providing rules for incident reporting, outlining free training, tools, and services, assisting organizations in creating a baseline for cybersecurity, and promoting interaction with local cyber communities.
To improve critical infrastructure cybersecurity, the US government encourages WWS organizations to share cyber attack information with federal partners such as CISA, the FBI, the EPA, the Office of the Director of National Intelligence (ODNI), and the DHS Office of Intelligence and Analysis.
They should also make sure that the procedure consists of four stages: preparation; detection and analysis; containment, eradication, and recovery; and post-event activities. This will help them strengthen and implement their incident response plans.
As per the guidelines, water facilities ought to initiate the process by creating an incident response plan, increasing the baseline, and interacting with the community. When an incident is detected, they should assess the affected systems, confirm the attack, report it, and conduct an analysis with federal partners who can help with information sharing and attack mitigation.
“At the end of any cyber incident, it is important for all relevant partners to conduct a retrospective analysis of both the incident and how responders handled it. The summation of post-incident activities determines ‘lessons learned’,” the guidance reads.
According to CISA, WWS utilities should prioritize resources on guaranteeing the proper operation of their water systems, rather than cybersecurity. Even if they haven't been the victims of an incident, they are nonetheless encouraged to take part in coordinated response actions whenever feasible.