This week, federal guidelines were published to assist owners and operators in the water and wastewater systems (WWS) sector on best practices for cyber incident response. Guideline are great, but they are just suggestions unless there are the resources for the WWS operators to enable them and some form industry monitoring to ensure they are met.
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Environmental Protection Agency (EPA) worked with more than 25 WWS industry, nonprofit, and state/local government partners to create the Incident Response Guide Water and Wastewater Sector. The agencies encouraged WWS operators to use this guide to augment their incident response planning and collaboration with federal partners and the WWS before, during, and following a cyber incident.
Let’s keep in mind that issuing an incident response guide is helpful, but stated these are only recommendations, and the guide does not include any mandated actions or establish requirements for organizations in this sector to follow.
I understand that many WWS are small, community owned and security generally is not a focus. But the WWS sector should be held to high standards for protecting our water supply. If CISA is making something like this, it should also provide the resources to assist the WWS to implement, practice, and test to improve incident response and ensure resiliency of our water supply.
Kerr did credit CISA and the other agencies for referencing the CISA Cyber Performance Goals, which were updated March 2023, and are in alignment with the NIST CSF.
“If CISA wants to protect our WWS, they should look into updating the 2015 Water and Wastewater Systems Sector-Specific Plan,” Kerr said.
Trustwave is well-positioned to help WWS, and all critical infrastructure operators by reviewing their plans and ensuring they are comprehensive, align with the business, as well as with best practices for ICS/SCADA and critical infrastructure.
Additionally, Trustwave can test plans at the technical level, and more than likely develop and test a complementary incident response plan at the executive level. Testing at this level is important and a point often overlooked by many organizations.
Trustwave also has the tools and personnel to make certain WWS operators have the appropriate controls in place to secure their facilities, thus minimizing the need for an incident response plan.
The final sandbag in the security wall is penetration testing. Conducting tests on a regular basis will ensure the facilities, security solutions, and team are operating at the top of their game.
A Four-Step Incident Response Process
The federal and WWS sector partners encourage all WWS utilities to use this incident response guide to augment their incident response planning. The guide is also designed to help WWS entities better collaborate with federal partners before, during, and following a cyber incident enabling faster recovery in case of an attack.
“In the new year, CISA will continue to focus on taking every action possible to support ‘target-rich, cyber-poor’ entities like WWS utilities by providing actionable resources and encouraging all organizations to report cyber incidents,” said CISA Executive Assistant Director for Cybersecurity, Eric Goldstein. “Our regional team members across the country will continue to engage with WWS partners to provide access to CISA’s voluntary services, such as enrollment in our Vulnerability Scanning, and serve as a resource for continued improvement.”
The 27-page guide contains a detailed explanation of the four phases of an incident response lifecycle.
Preparation
WWS sector organizations should have an incident response plan in place, implement available services and resources to raise their cyber baseline. Establish a strong cybersecurity baseline that includes critical controls and safeguards found in CISA’s Cyber Performance Goals (CPGs) can help an organization build a more defensible network architecture and reduce the chance of becoming an easy target of opportunity for an adversary.
Next, engaging with the wider WWS sector cyber community is key. Cyber communities drive collective response. Utilities of any cyber maturity level can engage with existing groups, information streams, and local offices that enhance and raise the cybersecurity posture of the Sector. Although this engagement may cost individual utilities time and resources, it ultimately creates better conditions for collective response to a cyber incident.
Detection and Analysis
Accurate and timely reporting and rapid collective analysis are essential to understand the full scope and impact of a cyber incident. The first action is to validate that an attack is in fact in progress and that the anomalous behavior is not due to user error. Points to look for are unusual system behavior, unfamiliar network activity, unexplained data loss or modification, security software alerts, phishing attempts, or if unknown devices or unauthorized access points start appearing on system networks.
If an attack has taken place the first responders should inform the organization so it ca pull in additional resources, such as an outside security vendor. Reporting the incident to state and federal authorities will allow these agencies to judge whether the attack is widespread and potentially, drive numerous federal response measures.
Containment, Eradication, and Recovery: While WWS Sector utilities are conducting their incident response plan, federal partners are focusing on coordinated messaging and information sharing, and remediation and mitigation assistance.
Post-incident activities: Evidence retention, using collected incident data, and lessons learned are the overarching elements for a proper analysis of both the incident and how responders handled it.
The Danger Facing Critical Infrastructure
"The Water and Wastewater Systems Sector is a vital part of our critical infrastructure, and the FBI will continue to combat cyber actors who threaten it,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “A key part of our cyber strategy is building strong partnerships and sharing threat information with the owners and operators of critical infrastructure before they are hit with an attack.”
This federal effort comes almost two months after a cyberattack struck the Municipal Water Authority in Aliquippa, Penn., giving threat actors access to a portion of the facility’s pumping equipment. The water treatment trade publication, WaterWorld, shared on Nov. 25 that threat actors disabled a programmable logic controller (PLC) at one of the Authority’s booster stations. The attackers only gained access to pumps that regulate pressure to elevated areas of its coverage, and there was no danger to the water supply, WaterWorld reported.
The WaterISAC also issued raised the alarm in its report noting the Alquippa attack may not have been an isolated incident and at the time CISA issued an alert concerning the exploitation of Unitronics PLCs used in water and wastewater systems.
Conclusion
It’s a positive step that federal agencies took creating this guide, and organizations in this critical infrastructure area and others should heed what is covered. However, adding a layer of enforcement or oversight by the government would go far to shoring up our national defenses in this area.
