Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Federal Water and Wastewater Security Incident Response Guide Falls Short

This week, federal guidelines were published to assist owners and operators in the water and wastewater systems (WWS) sector on best practices for cyber incident response. Guideline are great, but they are just suggestions unless there are the resources for the WWS operators to enable them and some form industry monitoring to ensure they are met.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Environmental Protection Agency (EPA) worked with more than 25 WWS industry, nonprofit, and state/local government partners to create the Incident Response Guide Water and Wastewater Sector. The agencies encouraged WWS operators to use this guide to augment their incident response planning and collaboration with federal partners and the WWS before, during, and following a cyber incident.

Let’s keep in mind that issuing an incident response guide is helpful, but stated these are only recommendations, and the guide does not include any mandated actions or establish requirements for organizations in this sector to follow.

I understand that many WWS are small, community owned and security generally is not a focus. But the WWS sector should be held to high standards for protecting our water supply. If CISA is making something like this, it should also provide the resources to assist the WWS to implement, practice, and test to improve incident response and ensure resiliency of our water supply.

Kerr did credit CISA and the other agencies for referencing the CISA Cyber Performance Goals, which were updated March 2023, and are in alignment with the NIST CSF.

“If CISA wants to protect our WWS, they should look into updating the 2015 Water and Wastewater Systems Sector-Specific Plan,” Kerr said.

Trustwave is well-positioned to help WWS, and all critical infrastructure operators by reviewing their plans and ensuring they are comprehensive, align with the business, as well as with best practices for ICS/SCADA and critical infrastructure.

Additionally, Trustwave can test plans at the technical level, and more than likely develop and test a complementary incident response plan at the executive level. Testing at this level is important and a point often overlooked by many organizations.

Trustwave also has the tools and personnel to make certain WWS operators have the appropriate controls in place to secure their facilities, thus minimizing the need for an incident response plan.

The final sandbag in the security wall is penetration testing. Conducting tests on a regular basis will ensure the facilities, security solutions, and team are operating at the top of their game.


A Four-Step Incident Response Process

The federal and WWS sector partners encourage all WWS utilities to use this incident response guide to augment their incident response planning. The guide is also designed to help WWS entities better collaborate with federal partners before, during, and following a cyber incident enabling faster recovery in case of an attack.

“In the new year, CISA will continue to focus on taking every action possible to support ‘target-rich, cyber-poor’ entities like WWS utilities by providing actionable resources and encouraging all organizations to report cyber incidents,” said CISA Executive Assistant Director for Cybersecurity, Eric Goldstein. “Our regional team members across the country will continue to engage with WWS partners to provide access to CISA’s voluntary services, such as enrollment in our Vulnerability Scanning, and serve as a resource for continued improvement.”

The 27-page guide contains a detailed explanation of the four phases of an incident response lifecycle.



WWS sector organizations should have an incident response plan in place, implement available services and resources to raise their cyber baseline. Establish a strong cybersecurity baseline that includes critical controls and safeguards found in CISA’s Cyber Performance Goals (CPGs) can help an organization build a more defensible network architecture and reduce the chance of becoming an easy target of opportunity for an adversary.

Next, engaging with the wider WWS sector cyber community is key. Cyber communities drive collective response. Utilities of any cyber maturity level can engage with existing groups, information streams, and local offices that enhance and raise the cybersecurity posture of the Sector. Although this engagement may cost individual utilities time and resources, it ultimately creates better conditions for collective response to a cyber incident.


Detection and Analysis

Accurate and timely reporting and rapid collective analysis are essential to understand the full scope and impact of a cyber incident. The first action is to validate that an attack is in fact in progress and that the anomalous behavior is not due to user error. Points to look for are unusual system behavior, unfamiliar network activity, unexplained data loss or modification, security software alerts, phishing attempts, or if unknown devices or unauthorized access points start appearing on system networks.

If an attack has taken place the first responders should inform the organization so it ca pull in additional resources, such as an outside security vendor. Reporting the incident to state and federal authorities will allow these agencies to judge whether the attack is widespread and potentially, drive numerous federal response measures.

Containment, Eradication, and Recovery: While WWS Sector utilities are conducting their incident response plan, federal partners are focusing on coordinated messaging and information sharing, and remediation and mitigation assistance.

Post-incident activities: Evidence retention, using collected incident data, and lessons learned are the overarching elements for a proper analysis of both the incident and how responders handled it.


The Danger Facing Critical Infrastructure

"The Water and Wastewater Systems Sector is a vital part of our critical infrastructure, and the FBI will continue to combat cyber actors who threaten it,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “A key part of our cyber strategy is building strong partnerships and sharing threat information with the owners and operators of critical infrastructure before they are hit with an attack.”

This federal effort comes almost two months after a cyberattack struck the Municipal Water Authority in Aliquippa, Penn., giving threat actors access to a portion of the facility’s pumping equipment. The water treatment trade publication, WaterWorld, shared on Nov. 25 that threat actors disabled a programmable logic controller (PLC) at one of the Authority’s booster stations. The attackers only gained access to pumps that regulate pressure to elevated areas of its coverage, and there was no danger to the water supply, WaterWorld reported.

The WaterISAC also issued raised the alarm in its report noting the Alquippa attack may not have been an isolated incident and at the time CISA issued an alert concerning the exploitation of Unitronics PLCs used in water and wastewater systems.



It’s a positive step that federal agencies took creating this guide, and organizations in this critical infrastructure area and others should heed what is covered. However, adding a layer of enforcement or oversight by the government would go far to shoring up our national defenses in this area.




Latest Trustwave Blogs

How Deepfakes May Impact Upcoming Elections Worldwide

The common fear regarding election interference is that a threat actor will gain access to either ballot machines or the networks that tally votes. However, there is a much easier method a person...

Read More

Get to Know MXDR: A Managed Detection and Response Service for Microsoft Security

The Microsoft 365 E5 license gives users entitlements to numerous Microsoft Security products—so many, in fact, that as companies deploy the Microsoft Security suite, they may need a managed...

Read More

Trustwave eBook Now Available: 8 Experts on Offensive Security

It is now obvious that defensive measures alone are no longer sufficient to protect an organization from cyberattacks. Threat actors are increasing their capacity at such a rate that merely sitting...

Read More