Federal agencies release cyber guidance for water sector after watchdog criticism

A trio of federal agencies published a guide of cybersecurity best practices for the water and sanitation sector following criticism from a U.S. government watchdog about the government’s work with the industry.

On Wednesday, the Environmental Protection Agency (EPA) partnered with the FBI and Cybersecurity and Infrastructure Security Agency (CISA) to release a manual providing the water industry with more information on cyber incident response as well as the roles, resources and responsibilities for each federal agency involved in cybersecurity.

On January 9, the Office of the Inspector General (OIG) said CISA needed to do more “external collaboration and internal coordination within the Water and Wastewater Sector.”

CISA agreed with all three recommendations and provided a detailed timeline for when and how they would foster deeper ties with the water industry, which has faced a bevy of threats since the onset of the Israel-Hamas war.

“The Water and Wastewater Systems [WWS] sector is under constant threat from malicious cyber actors. This timely and actionable guidance reflects an outstanding partnership between industry, nonprofit, and government partners that came together with EPA, FBI and CISA to support this essential sector,” said CISA Executive Assistant Director for Cybersecurity Eric Goldstein.

The guide was developed alongside dozens of cybersecurity companies, industry organizations, state governments and federal agencies, according to CISA.

It includes four major pillars that cover how organizations can prepare for cyberattacks, including how to detect and analyze incidents; how to contain, eradicate and recover from attacks; and what to do after an incident.

Water utilities should have an incident response plan and structures in place that allow for easy communication with industry cybersecurity experts, the plan outlines. The guide offers detailed information on which federal partners organizations should coordinate with, how evidence should be preserved and more.

Bryan Vorndran, assistant director of the FBI’s Cyber Division, said a key part of their cyber strategy is “building strong partnerships and sharing threat information with the owners and operators of critical infrastructure before they are hit with an attack.”

EPA Assistant Administrator for Water Radhika Fox added that cyber threats affecting the water sector are a “real and urgent risk to safe drinking water and wastewater services that our nation relies on.”

‘Cyber-poor’

The federal government’s efforts to help the water industry deal with cybersecurity threats have been fraught since companies balked at new regulations handed down by the EPA last March.

Republican attorneys general and industry groups launched a successful lawsuit against the new EPA rules, which sought to add cybersecurity assessments to annual state-led Sanitary Survey Programs that evaluate water systems across the U.S.

The EPA rescinded the rule in October, and weeks later multiple water utilities were attacked by hackers allegedly connected to Iran’s Islamic Revolutionary Guard Corps (IRGC). The FBI and EPA said in December that they were tracking a handful of incidents involving water utilities.

Since then, CISA and the EPA have sought to be more proactive about helping the water industry deal with threats, reaching out to utility operators using devices from Israeli company Unitronics and notifying those organizations if they are at risk of cyberattack.

In addition to the nation-state threats, U.S. law enforcement agencies have previously said ransomware gangs hit five U.S. water and wastewater treatment facilities from 2019 to 2021 — and those figures did not include three other widely reported cyberattacks on water utilities.

Despite the threats, the OIG report said CISA “did not consistently collaborate” with the EPA and the water industry to “leverage and integrate its cybersecurity expertise with stakeholders’ water expertise.”

CISA and the EPA had not figured out the roles, responsibilities, and collaboration mechanisms for approaching the industry and CISA did not coordinate enough internally on the sharing of critical information, according to the report.

In a response to the report, CISA Director Jen Easterly acknowledged the issues but noted that it covered 2019 to 2022 and missed much of the agency’s current work addressing the issues. Easterly said the agency is already tackling many of the problems raised and plans to fix most in 2024 and 2025.

In its 2023 review, CISA said it conducted more than 1,700 engagements for the water and wastewater sector and notified six entities in the industry as part of its pre-ransomware notification initiative. Dozens of water utilities were also added to Protective Domain Name System service, which blocked 900 million malicious connections targeting federal agencies last year. The service is designed to disrupt attempted attacks.

“In the new year, CISA will continue to focus on taking every action possible to support ‘target-rich, cyber-poor’ entities like WWS utilities by providing actionable resources and encouraging all organizations to report cyber incidents,” Goldstein said on Thursday.

“Our regional team members across the country will continue to engage with WWS partners to provide access to CISA’s voluntary services, such as enrollment in our Vulnerability Scanning, and serve as a resource for continued improvement.”