Among the 16 critical infrastructure sectors identified by CISA, water and wastewater has unique challenges. While there are several large water and wastewater corporations, the majority are smaller entities that operate at the country, municipality, or township scale. As a result, many of these facilities are at a distinct disadvantage when it comes to cyber know-how, control environments, and staff to protect the facility. Asset owners and operators are necessarily focused on operations, infrastructure upkeep, regulatory compliance, and revenue generation. Not surprisingly, fighting off determined and advanced threat actors is a likely "below the line" item when compared with basic operational priorities.
Given the cyber exposure of the nation's critical infrastructure, the Biden Administration has taken steps to refocus asset operators on cybersecurity. The administration's Industrial Control Systems Cybersecurity Initiative began last year with a 100-day sprint for improving the resilience of critical energy infrastructure from cyber threats. Similar sprints were planned for other sectors, and last week, water and wastewater was called to the plate.
The Environmental Protection Agency announced a 100-day program for water and wastewater, centered around a four-point action plan to lock down this critical sector. The country's 52,000 community water systems and 16,000 wastewater systems are expected to strategize around how to improve early detection of cybersecurity threats and improve the sharing of threat indicators and other information in order to expedite action from the federal government, the EPA said in a statement.
An Action Plan for Water and Wastewater Providers
Specifically, there are four action items that the 100-day sprint has prioritized:
Establishing a task force of water sector leaders.
Implementing pilot projects to demonstrate and accelerate adoption of incident monitoring.
Improving information sharing and data analysis.
Providing technical support to water systems.
The action items are meant to improve critical system monitoring and provide immediate situational awareness of threats. In conjunction, operators are expected to share threat data and indicators of compromise with the government and other stakeholders, contributing to the sector's overall resilience. EPA and CISA, meanwhile, will collaborate to develop protocols for sharing threat information.
EPA and CISA will also invite utilities to participate in a pilot program focused on ICS monitoring and information sharing that is expected to illustrate the value of technology that brings visibility of threats and vulnerabilities to stakeholders.
Utilities that serve heavy popular centers, and therefore, "highest consequence systems," according to a Biden administration statement, will be the initial focus on the action plan.
Water a Target of Opportunistic and Advanced Attackers
Water was a victim of several attacks targeting critical infrastructure that made significant headlines last year, starting with the now landmark incident at a water treatment facility in Oldsmar, Fla. Despite a relatively low impact, an attacker was able to access, via TeamViewer, the facility's internal network and tamper with chemical levels in drinking water. Redundancies and other safeguards prevented the tainted water from reaching public drinking water, yet the alarm was raised about vulnerabilities at these facilities, and a general lack of security awareness.
From an industry perspective, a less-than-rosy picture was painted by the results of a survey conducted by the Water Sector Coordinating Council that pointed out more specific deficiencies shared by U.S.-based water treatment facilities. Respondents were clear that many lacked visibility into connected IT and OT assets, and fewer than half of the facilities that participated said they had identified IT-networked assets and even fewer had identified all OT assets.
There's also significant exposure within the sector to remote attackers and malicious insiders who can tamper with critical processes and put public safety at risk. As a result, respondents expressed a need to minimize control system exposure, identify and remediate software vulnerabilities, lock down remote access to systems, and conduct risk assessments. Business continuity, adequate threat intelligence, and cybersecurity training were also prioritized as important needs within the sector.
Federal agencies ramped up the urgency around critical infrastructure cybersecurity improvements after a barrage of attacks last year, starting with SolarWinds spilling over from late 2020, to Colonial Pipeline, JBS Foods, and other extortion-based attacks impacting the delivery of critical services to the country. Attackers in these instances may have been profit-motivated, but they also demonstrated how certain aspects of American critical infrastructure are flawed, and what ensuing incident response from officials look like.
Recommendations
Claroty, a trusted partner for customers in the water and wastewater sectors, applauds the continued federal government focus on cybersecurity.
Our technology and expertise are valued assets to our customers and partners in keeping disruptive attacks at bay. We also understand the government's need for enhanced visibility into the OT networks at the hub of indispensable services, public safety, and national security.
Water facilities and utilities cannot defend what they cannot see. Technology that identifies connected assets, vulnerabilities putting those assets at risk, and provides remediation strategies are of uppermost importance.
Secure remote access technologies purpose-built for OT that provide user provisioning, role- and policy-based access controls, alerting, and the capability to audit, investigate, and terminate potentially malicious remote sessions must be a requisite for facilities connected critical assets online.
