EPA Cybersecurity Best Practices for the Water Sector
Like other critical infrastructure, the water sector can be a target of cybersecurity threats and hazards. Implementing cybersecurity best practices is critical for water and wastewater utilities. The resources below can bring your utility one step closer to cyber resilience.
Cyber Resilience Resources
Water Sector Cybersecurity Brief for States: This guide can assist state technical assistance (TA) providers with assessing cybersecurity practices at water and wastewater systems and developing an improvement plan to reduce cyber risks.
Cybersecurity Incident Action Checklist: This guide provides steps for water and wastewater systems to prepare for, respond to, and recover from a cybersecurity incident.
Water Sector Cybersecurity Training and Response Exercises: This program offers courses both online and at locations nationally that address water sector cybersecurity threats, vulnerabilities, consequences, best practices, resources, and program development. The courses also include guided response exercises for water sector cybersecurity incidents. For more information and to register, please see here: Introduction to Cybersecurity Virtual Workshop (pdf)
Water Sector Cybersecurity Technical Assistance Provider Program: This program trains state and regional water sector TA providers to assess cybersecurity practices at water and wastewater systems and guide systems through developing a cybersecurity action plan to reduce risks and enhance resilience. The program includes follow-up assistance opportunities after the original assessment. For more information and to register, please see here: Cybersecurity Assessment and Technical Assistance (pdf)
Vulnerability Self-Assessment Tool 2.0 (VSAT Web 2.0): This online tool leads water and wastewater systems through an all-hazards risk assessment, including risks from cybersecurity incidents, and the assessment of costs and benefits of additional countermeasures to reduce risks. Note: This tool includes the capability to analyze cyber threat scenarios.
Develop and Conduct a Water Resilience Tabletop Exercise (TTX) with Water Utilities: This tool provides water and wastewater systems with the resources to plan, conduct and evaluate tabletop exercises for all-hazards scenarios, including cybersecurity incidents. Note: This tool includes the capability to analyze cyber threat scenarios.
EPA Homeland Security Research Program: EPA is researching the ability of hackers to take over the control and operation of pumps, valves, and hydrants, or to provide incorrect operational and water quality information to the water system operators, thus compromising pipe integrity water quality and fire protection. Results from this work will be incorporated into future EPA guidance, tools, and training.
Cybersecurity Incident Response
In responding to a significant cybersecurity incident, the federal government leverages its resources and expertise to provide the targeted infrastructure with a unified, coordinated response as detailed in PPD-41. The Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) leads asset response by recieving reports of cybersecurity and incidents and providing technical assistance to affected infrastructures (e.g., water utilities) to protect assets, mitigate vulnerabilities, and reduce impacts.
The Federal Bureau of Investigation (FBI) leads the law enforcement and investigative activity aspects of the response. Pursuant to Presidential Policy Directive 21 (PPD-21), EPA is the Sector Specific Agency (SSA) for the Water and Wastewater Systems Sector. As the SSA for the Water and Wastewater Systems Sector, EPA has an important role in coordinating the cyber incident response; ensuring all appropriate Federal agencies are incorporated into the incident response; facilitating the rapid and appropriate sharing of information and intelligence on the incident response and recovery activities; and coordinating consistent, accurate, and appropriate communications regarding the incident to affected parties and stakeholders.
During a cybersecurity incident, CISA, FBI, and EPA work closely in notifying a targeted entity, assessing the consequences of the cyber incident, and formulating recommendations to the targeted entity. EPA also plays an important part in incident response by directing sector requests for assistance to CISA, confirming these requests are being fulfilled, communicating alerts to the sector, and providing critical “steady-state” support through water sector-specific cybersecurity tools, exercises, and technical assistance.
Alerts - National Cyber Awareness System
CISA Alerts provide timely information about current security issues, vulnerabilities, and exploits. Find DHS CISA Alerts here.
See information regarding the recent SolarWinds incident:
- Alert (AA20-352A) Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations (Public/Private Sector): CISA is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations. One of the initial access vectors for this activity is a supply chain compromise of several SolarWinds Orion products.
- CISA Issues Emergency Directive to Mitigate the Compromise of Solarwinds Orion Network Management Products (Federal Agencies): CISA issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors. This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.
The FBI Cyber Division provides information regarding the SolarWinds incident:
- FBI Cyber Division’s Private Industry Notification (Private Sector): The FBI Cyber Division provides this Private Industry Notification to help cyber security professionals and system administrators guard against the persistent malicious actions of cyber actors. This product contains a summary of the SolarWinds Orion incident and recommendations for response actions.
CISA Cybersecurity Resources
- Cyber Incident Reporting: A Unified Message for Reporting to the Federal Government explains when, what, and how to report a cyber incident to the federal government.
- Report Incidents, Phishing, Malware, or Vulnerabilities provides secure means to submit a form regarding a potential cyber threat incident.
- CISA Services Catalog offers significant resources, guidance, and tools to assist critical infrastructure facilities, including water and wastewater systems, with cybersecurity. Including the Cybersecurity Evaluation Tool (CSET®).