CISA, FBI, EPA Offer Cybersecurity Guide for Water System Operators
After some stops and starts, U.S. federal agencies have issued guidance to help water and wastewater system operators better respond to cyberattacks, an important step as threat actors are increasingly targeting the sector.
The document was put together by the Environmental Protection Agency (EPA), FBI, and Cybersecurity and Infrastructure Security Agency (CISA) and touches on everything from improving the resiliency of the systems to detecting, analyzing, and containing a cyber-incident when it occurs.
It also gives tips for what to do after the incident, including retaining evidence, collecting data, and analyzing both what happened and how they responded.
The guide, released this month, comes in the wake of cyber-incidents targeting the water and wastewater sector over the past couple of years, with the latest one in November 2023, in which a municipal system in Pennsylvania was attacked by the Iran-linked Cyber Av3ngers group.
“Cyber threats to the water sector represent a real and urgent risk to safe drinking water and wastewater services that our nation relies on, Radhika Fox, the EPA’s assistant administrator for water, said in a statement. “The incident response guide assists utilities with approaches for collaboration with federal entities on lowering cyber risk in our nation’s drinking water and wastewater systems.”
Water Systems an Ongoing Target
Water system operators both inside the United States and abroad are targets of bad actors. Southern Water, an operator in the UK with 2.5 million water customers and 4.7 million wastewater customers, said this week that it fell victim to the notorious ransomware group Black Basta, which reportedly put some of the data it said it stole – such as personal information of customers like home and email addresses and dates of birth – on its leak site.
The Biden Administration has put an emphasis on bulking up the cybersecurity of the nation’s 16 critical infrastructure sectors, including water systems. Earlier this month, the inspector general for the U.S. Department of Homeland Security in a report said CISA needed to drive collaboration among federal agencies – including the EPA – and water system operators to improve resiliency in the industry.
The report noted that there are about 50,000 community water systems in the country and more than 16,000 publicly owned wastewater treatment systems.
The EPA early last year ordered states to start assessing their public water systems’ security posture. However, the agency stayed the order in July – and later rescinded it in October – after a legal challenge in federal court by Missouri, Iowa, and Arkansas and the American Water Works Association (AWWA) and National Rural Water Association (NRWA) claiming the EPA was overstepping its authority.
The plaintiffs agreed that water systems need strong cybersecurity but questioned what they saw as a heavy-handed move by the EPA.
A Collaborative Effort
CISA, the FBI, and EPA worked with more than two dozen entities in developing the latest guide. Those include water associations like the AWWA and Association of State Drinking Water Administrators, system operators from Washington DC, East Bay Municipal Utility District in California, and elsewhere, and cybersecurity firms like Google-owned Mandiant, Microsoft, and Tenable.
The guide stresses the need for system operators to have an incident response plan in place. In terms of detection and analysis, operators need to quickly and accurately report an incident and collect data for analysis. The guide includes information for validating and reporting an incident and resources for analyzing the data.
Federal agencies will focus on coordinating messaging, sharing information, and help with with remediation and mitigation. After the incident, “evidence retention, using collected incident data, and lessons learned are the overarching elements for a proper analysis of both the incident and how responders handled it,” the agencies wrote.
Attacks on the Rise
There have been a number of cyber-incidents against water systems over the past couple of years. A former employee of the Post Rock Rural Water District in Kansas in 2021 was charged by federal law enforcement with remotely accessing the water system and shutting it down. Later that year, someone accessed the water system in Oldsmar, Florida, in an attempt to poison it by raising the sodium hydroxide levels to more than 100 times the normal amount.
In November 2023, Cyber Av3ngers took responsibility for an incident in which attackers took control of a system within the Municipal Water Authority in Aliquippa, Pennsylvania, that monitors water pressure in nearby towns. The drinking water wasn’t threatened, but the systems were taken offline and the work needed to be done manually.
Cyber Av3ngers, a pro-Palestinian with reported ties to Iran’s Islamic Revolutionary Guard, has a track record of attacking critical infrastructure, such as water, electrical, and transportation operations, at times targeting SCADA systems made in Israel.
CISA issued an advisory after the attack on the Aliquippa water system warning that threat groups were trying to exploit programmable logic controllers (PLCs) used by water systems to monitor water treatment processes. In the attack in Pennsylvania, Cyber Av3ngers targeted PLCs developed by Israeli company Unitronics.