CISA, EPA, FBI Publish Top Cyber Steps for Water System Operators

The Cybersecurity and Infrastructure Security Agency (CISA), Environmental Protection Agency (EPA), and FBI published a joint fact sheet on Feb. 21 outlining the top cybersecurity actions water and wastewater systems sector (WWS) entities can take to improve their cyber resiliency.

The fact sheet explains that water systems run operational technology (OT) and information technology (IT) systems “that are too often vulnerable to cyberattacks.”

OT and IT systems serve as the backbone of the water sector and help perform critical tasks such as pumping water from reservoirs. According to CISA’s website, “a compromise of these systems could lead to disruptions of service and significant cascading impacts throughout U.S. critical infrastructure.”

The agencies’ publication of the fact sheet follows closely on the heels of a joint cybersecurity advisory by CISA, EPA, FBI, the National Security Agency, and other agencies on Feb. 7 for critical infrastructure providers to urgently implement a series of cybersecurity actions after discovering that a Chinese-based hacking group Volt Typhoon has compromised the IT environments of multiple U.S. critical infrastructure organizations – with the end goal of a future cyberattack.

The fact sheet offers eight of the top cybersecurity actions water systems can take today to reduce cyber risk and improve cyber resiliency:

1. Reduce exposure of key assets to the public-facing internet – OT devices such as remote terminal units (RTUs) are easy targets for cyberattacks when connected to the internet;
2. Conduct regular cybersecurity assessments to understand the existing vulnerabilities within OT and IT systems;
3. Change default passwords immediately and implement multi-factor authentication (MFA) where possible;
4. Create an inventory of software and hardware assets to better understand what needs to be protected;
5. Develop and exercise cybersecurity incident response and recovery plans;
6. Regularly backup OT and IT systems;
7. Mitigate known vulnerabilities and keep all systems up to date with patches and security updates; and
8. Conduct cybersecurity awareness training at least once a year to help all employees understand the importance of cybersecurity.

CISA, EPA, and FBI are urging all WWS sector entities and critical infrastructure organizations to review the fact sheet and implement the eight actions. Organizations can go to cisa.gov/water for additional sector tools, information, and resources.