Policymakers and regulators in Washington are bringing their attention now to water utilities’ cybersecurity. Last month, the White House announced it was expanding its public-private cybersecurity partnership to the water sector. Separately, in December of 2021, the Environmental Protection Agency (EPA) announced an evaluation of regulations related to the public water system’s cybersecurity, which will change in April.
Prompted by recent cybersecurity incidents affecting critical infrastructure companies and organizations, including Colonial Pipeline, JBS Foods, and a high-profile cyber intrusion at a water utility in Oldsmar, Florida, these initiatives follow similar policy efforts launched by the White House to improve the security of key economic sector’s industrial control systems.
Water and wastewater systems are a target of malicious cyber threat actors. Last October, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) issued a joint alert to highlight the ongoing malicious cyber activity targeting water and wastewater systems. This threat activity includes attempts to compromise system integrity via unauthorized access to water system information technology networks and online operational technologies.
Safe Water and Cybersecurity
There are thousands of vital systems in the water sector ranging in size from small towns to large metropolitan areas. According to one estimate, over 82 percent of these water utilities serve fewer than 3,300 customers. The White House initiative, developed in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), Environmental Protection Agency (EPA), and the Water Sector Coordinating Council (WSCC), focuses on ensuring water utilities have access to real-time situational awareness and threat information, and the agencies can quickly share relevant cybersecurity information to improve the sector’s ability to identify malicious activity. The plan also highlights the importance of cybersecurity monitoring and threat visibility to the sector.
The White House, CISA, EPA and the WSCC will work with pilot program participants during the next 100-days to create an action plan to improve the cybersecurity of the sector.
How SecurityScorecard Can Help Water Utilities
With cyber Security Ratings and building from SecurityScorecard’s transparent methodology, water utilities can continuously monitor and oversee the security of their networks—and empower utility providers to make risk-based and data-driven decisions about how security controls can improve, and keep their water safe.
SecurityScorecard’s security ratings platform provides a way for water sector organizations to review risk and prioritize their mitigation strategies so that they can reduce the impact of the cybersecurity threats affecting them. including:
1. Cybersecurity Monitoring – Our scorecards provide free real-time awareness of your own threat landscape and cybersecurity posture – including a signal specifically surfacing accessible ICS devices. Over half of all cyber incidents occur through third parties. SSC offers a low-cost solution to monitor your vendors and suppliers for the only 360 degree view of your complete attack surface.
2. Rapid Sharing of Cybersecurity Information and Threats – Our scorecards allow you to share publicly available information about your cybersecurity posture with the government and stakeholders – even while internal security logs are still being reviewed. We can work with you to analyze the origin of a breach and research the attack and the threat actors.
3. Cyber Risk Assessments – Our scorecards provide real-time risk assessments and will help organizations prioritize cybersecurity investments, remediation and improvements.