In a recent turn of events, the U.S. Environmental Protection Agency and National Security Council have raised the alarm on the urgent need for more robust cybersecurity measures to protect water and wastewater systems. They have reached out to state governors, strongly urging them to conduct comprehensive assessments of their current cybersecurity practices, with the aim of pinpointing and mitigating potential vulnerabilities. Water systems, being a lifeline critical infrastructure sector, are enticing targets for cyberattacks. The authorities particularly stress the dire consequences of inadequate basic cybersecurity measures, such as neglecting to reset default passwords or update software to address known vulnerabilities. The intent is to collaborate with the water sector to establish a Water Sector Cybersecurity Task Force, which would identify near-term actions and strategies to minimize the risk of water systems to cyberattacks across the nation.
Letter to State Governors
Dear State Governors,
The U.S. Environmental Protection Agency (EPA) and National Security Council (NSA) have issued a warning to state governments, emphasizing the immediate need for enhanced security measures to protect water and wastewater systems from cyber attacks. As part of this urgent call to action, EPA and NSA strongly encourage comprehensive assessments of the current cybersecurity practices across all water systems within your jurisdiction. Identifying significant vulnerabilities and taking proactive steps to reduce associated risks is of paramount importance. Following such assessments, it is crucial to ensure that plans are in place to adequately prepare for, respond to, and recover from a potential cyber incident.
EPA and NSA warning
We are living in unprecedented times where disruptive cyber attacks are becoming more frequent and far-reaching in their impact. The EPA and NSA believe that the time is ripe for a collective and proactive response to this growing threat landscape. We recognize that your role as State Governor is pivotal in driving this response and reinforcing the defenses of our vital infrastructure.
Request for comprehensive assessments
We urge you to oversee the undertaking of thorough evaluations of the current state of cybersecurity practices within all water and wastewater systems in your state. These comprehensive assessments are instrumental in shedding light on any existing vulnerabilities that could be exploited in a cyber attack.
Identification of vulnerabilities
The identification of vulnerabilities forms the key initial step in creating robust and resilient infrastructure. Once vulnerabilities have been identified, measures can be implemented to fortify weak points and minimize the risk of successful cyber attacks.
Steps to reduce risks
Implementing robust cybersecurity controls and regularly updating them is critical to reducing the risks associated with these vulnerabilities. Contemporary cybersecurity practices incorporate a range of techniques, from intrusion detection systems to regular audits and employee training.
Preparation for cyber incidents
Equally as important as preventative measures is the ability to effectively respond and recover from a cyber incident, should it occur. This requires clear incident response plans and dedicated resources for swift action and system recovery.
Water Systems as Targets
Water and wastewater systems represent an attractive target for cyberattacks. They constitute a vital part of our critical infrastructure but often lack the resources and technical capacity to adopt rigorous cybersecurity practices.
Attractive target for cyberattacks
Cybercriminals are increasingly interested in critical infrastructure due to the potential for significant disruption. Connectivity and automation advances make systems more efficient, but they also introduce additional vulnerabilities, which can be potentially exploited.
Lack of resources and technical capacity
Current economic and technical constraints experienced by water and wastewater systems can inhibit the implementation of robust cybersecurity practices. Overcoming these constraints is essential to building resilience towards cyber threats.
Available guidance for cybersecurity practices
An assortment of guidance is available from various agencies to help bolster cybersecurity practices. Resources from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the American Water Works Association, the National Rural Water Association, and others provide valuable insight and recommendations.
Importance of basic cybersecurity precautions
In many cases, even basic cybersecurity precautions such as resetting default passwords or updating software to address known vulnerabilities are not in place. These simple yet crucial steps can make the difference between normal operation and a disruptive cyberattack.
Water Sector Cybersecurity Task Force
In response to growing concerns, EPA announces its plan to create a Water Sector Cybersecurity Task Force. This Task Force will provide a platform to identify near-term actions and strategies to reduce the risk to water systems nationwide from cyberattacks.
Formation of the task force
The foundation of this Task Force represents a proactive step toward ensuring the security and safe operations of our vital water infrastructure. It is intended to drive effective decision-making and coordinate actions at all levels.
Identification of actions and strategies
The Task Force aims to identify effective measures and strategies that can help in risk mitigation and increase the resilience of water and wastewater systems against cyber threats.
Reduction of cyber attack risk in water systems
By identifying threats and vulnerabilities, the Water Sector Cybersecurity Task Force will provide guidelines, resources, and support to enact preventative measures, improve detection, enhance response, and expedite recovery efforts, thus reducing the risk of cyber attacks on water systems.
Increase in Cyber Attacks on Critical Infrastructure
Cyber attacks on critical infrastructure, including water companies, are distressingly on the rise. Many of these attacks seem to be instigated by groups affiliated with hostile nation-states.
Rise of attacks on water companies
In recent years, there has been a significant uptick in the number of cyber attacks targeting water companies, as cybercriminals take advantage of known vulnerabilities.
Affiliation with hostile nation states
Several recent cyber incidents in the water sector have revealed links with hostile nation-state actors. These groups often use sophisticated attack techniques and highly complex malware to disrupt services and compromise sensitive data.
Examples of cyber attacks on drinking water systems
Examples of such attacks include incidents where hackers associated with foreign governments have attacked critical infrastructure, including drinking water systems.
Importance of Cybersecurity in Critical Infrastructure
One key learning from recent events is the increasing vulnerability of cyber-physical systems to cyber attacks. This realization reinforces the importance of cybersecurity hygiene and the criticality of ensuring software supply chain security.
Cyber-physical systems vulnerability
Today, with escalating cyber threats and evolving attack vectors, the intersection of physical and cyber systems presents new vulnerabilities. These cyber-physical systems demand greater attention and protection to maintain secure and reliable operations.
Necessity for cybersecurity hygiene
Ensuring basic cybersecurity hygiene – regular software updates, rigorous password management, access controls, regular staff training, to name a few, becomes an integral part of protecting infrastructure assets from cyber threats.
Software supply chain security
In the era of increasing interconnectedness, the software supply chain becomes one of the critical points for security concerns. Therefore, ensuring the integrity and security of the entire software supply chain needs to be taken very seriously.
As we work together to safeguard our critical water infrastructure from these escalating threats, we are confident in our collective resilience and ability to respond to these challenges. We thank you for your attention to this pressing matter and look forward to your continued commitment and support in ensuring the security of our water systems.