CISAs Water Sector Guide Puts Incident Response Front & Center

As cyberattackers increasingly target water suppliers and wastewater utilities, the US federal government wants to help limit the impact of destructive attacks.

Water and wastewater utilities last week received new guidance for improving their response to cyberattacks from the US Cybersecurity and Infrastructure Security Agency (CISA), following a greater number of attacks by nation-state groups and cybercriminals targeting the underserved critical infrastructure.
CISAs 27-page guide
offered a series of important takeaways for utilities in the water sector, including detailed advice on how to create an effective incident response playbook.
The Cyber Incident Response Guide for the Water and Wastewater Sector aims to clarify the best practices for reporting cyber incidents, to connect utilities with resources to help improve their cybersecurity, and to encourage collaboration among the businesses in the sector. The United States has approximately 51,000 community water systems — 83% of which serve small communities accounting for only 8% of the US population — and 16,500 publicly owned treatment works for wastewater,
according to CISA estimates (PDF)
.
Cybersecurity efforts for the water and wastewater sector (WWS), however, have been hampered by resource constraints, because utilities typically cannot pass costs on to customers and have tight budgets, says Dawn Cappelli, head of the OT-Cyber Emergency Readiness Team for industrial-cybersecurity firm Dragos.
Most of the water utilities in the country are small, and security is not generally a focus for them, she says. They are under-resourced, and issues like replacing old pipes and infrastructure tend to trump cybersecurity ... [and] they do not have the expertise to understand the risk posed by cyberthreats in their OT environment, which are different than those in their IT environments.
The US government has made securing critical infrastructure a priority following a variety of painful cyber incidents, with the
water and wastewater sector becoming the latest targeted sector
. In February 2021, a water utility in Oldsmar, Fla.,
suffered an intrusion
in which the attacker tried to raise the level of a caustic chemical more than 100-fold. Six months later, cybercriminals
targeted two sewage treatment plants in Maine
with ransomware.
More recently, an Iranian-backed group
attacked the Aliquippa Municipal Water Authority
located in Pittsburgh in November, disrupting the monitoring and control systems for the water pressure to two towns. That attack turned out to be part of a spate of cyberattacks by pro-Iran assailants stretching back months that
targeted various water controllers across the country
.
And just this week,
Veolia North Americas Municipal Water division
acknowledged that ransomware actors had disrupted several of its IT systems, including those responsible for billing.
While the attackers targeted the water and wastewater sector, such attacks not only affect citizens, but other critical infrastructure as well. Other sectors — such as energy and agriculture — also rely on water, says Mike Bimonte, CTO for the public sector at Armis, an attack-surface protection firm.
These groups target small municipalities, but really, their hopes are that they have a significant impact — both downstream and upstream — on energy, health, and just the overall well being of the infrastructure, he says, adding: Its ... the biggest bang for the buck.
More attacks are in the offing: Nation-state cyber actors also have demonstrated an intent to target US WWS utilities, CISA stated in the guide.
CISA recommends that WWS utilities plan for incidents well before they suffer a cyberattack. More than two dozen WWS organizations — along with the FBI and the Environmental Protection Agency — contributed to the guide. CISA assured utilities that the recommendations are not requirements and also warned that they are not exhaustive best practices nor include recommended technical configurations.
The guidelines call for water and wastewater utilities to do the following:
Prepare by creating an organizational-level incident response plan and taking part in the industrys cyber community.
Improve detection capabilities and the ability to validate potential incidents to reduce noise when reporting to federal agencies.
Plan for containment, eradication, and recovery by sharing information with appropriate groups and have assistance lined up for remediation and mitigation.
Create a post-incident playbook specifying what data and evidence should be retained and distributing guidance on the lessons learned.
While the document should be a reference for all water and wastewater utilities, organizations should first plan to implement the recommendations in
the 15 Cybersecurity Fundamentals for Water and Wastewater Utilities report
published by the Water Information Sharing and Analysis Center (WaterISAC), says Danielle Jablanski, a cybersecurity strategist for Nozomi Networks, an Industrial Internet of Things and operational technology security firm.
Every asset owner has to build a strategy with their own understanding of their criticality, their technologies, their vendors, the ecosystem, their resources, and their location, she says. So a water utility near an Air Force base has different considerations than a water utility near Walt Disney World — they are both equally important, in my mind, but totally different considerations.
Getting water and wastewater utilities to prioritize cybersecurity may be difficult. Cybersecurity issues ranked No. 13 on the list of critical concerns in 2023, according to
the 2023 State of the Water Industry report
published by the American Water Works Association. Fixing aging water infrastructure, ensuring the water supply, and financing capital improvements have all claimed the top 3 spots on the list of critical issues for the past five years. Cybersecurity did rank No. 10 on the list in 2022, however.
Overall, about a third of utilities (31%) plan to update existing IT systems to be more resilient to intrusion, 7% will install a new IT security system, and a quarter (24%) are assessing their cybersecurity requirements, the report stated.
The problem for water and wastewater utilities, however, is that they are regulated utilities, they are largely decentralized and autonomous, and often operate in isolated geographies, Nozomis Jablanski says.
Given those conditions, the sector has performed about average compared to other critical infrastructure sectors, she adds.
The water sector is about even with other sectors who cannot pass their cybersecurity expenditures on to their customers, Jablanski says. Thats something we forget — a lot of companies can pass those costs on, utilities cant.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
CISAs Water Sector Guide Puts Incident Response Front & Center