WaterISAC urges utilities and others sector stakeholders to report incidents and suspicious activity to our analysts. Reporting incidents and suspicious activity helps strengthen sector resilience, because it allows WaterISAC to identify threats and vulnerabilities and to warn other members and partners. The information you share also helps WaterISAC shape products and services, including webinars and reports, that can help utilities stay safe and secure.
WaterISAC maintains confidentiality of the information you provide. If WaterISAC wishes to share your incident in an analysis or other product, we would first secure your express permission to do so, and then we would anonymize the information you have shared. As a private non-profit, WaterISAC is not subject to public records law, further preserving the confidentiality of your report.
In some cases, WaterISAC may encourage you to also report your incident or suspected incident to federal authorities, especially if you intend to seek help with an investigation or recovery. WaterISAC can assist by providing you with contact information and other guidance. Crimes should always be reported to the appropriate authorities.
How do I make a report?
You can file reports of incidents and suspicious activity in three ways:
- By filing a confidential report at www.waterisac.org/report-incident.
- By emailing firstname.lastname@example.org.
- By calling our analyst desk at 866-H2O-ISAC.
What do I report?
WaterISAC seeks reports of both cyber and physical incidents, as well as suspicious activity.
Cybersecurity incidents are cyber attacks or compromises of your enterprise IT system or your industrial control system. These events could be:
- Successful ransomware attacks or close calls.
- Successful installations of malware that had or may have had an impact on the utility’s ability to conduct business and operations.
- Phishing campaigns, including successful or attempted spear phishing of executives, executive assistants, SCADA engineers, IT administrators or other privileged users.
- Successful or attempted business email compromise incidents, including account takeover or impersonation of executives.
- Data thefts.
- Social engineering attempts to gather sensitive information from personnel.
Physical Security Incidents
Reportable physical security incidents include those that are intended to cause any of the following:
- Bodily harm to employees or customers.
- Public health impacts.
- Significant harm to the environment.
- Impacts to the operations of your utility.
- Financial losses to your organization of $10,000 or more (per instance.)
Specific examples of these types of incidents include:
- Intentional water supply or wastewater contamination.
- Surveillance or suspicious questioning.
What happens next?
Once you alert us to the incident or suspicious activity, we will follow up with you for more information. Then we will ask whether we can use the information in WaterISAC reports. If the answer is yes, we will anonymize the information you shared by removing any details that would attribute the incident to you or your utility. The information you share is stored in a protected database. The anonymized information will be used to inform WaterISAC's threat analysis reports.
Federal and Other Reporting Mechanisms
Department of Homeland Security National Cybersecurity and Communications Integration Center (NCCIC). Report incidents to NCCIC by emailing NCCICCUSTOMERSERVICE@hq.dhs.gov or by calling 888-282-0870. You may also contact WaterISAC for an introduction to NCCIC staff. DHS can protect sensitive information that is shared with its teams, if requested.
NCCIC’s Hunt and Incident Response Team provides onsite incident response free of charge to organizations that require immediate investigation and resolution of cyber compromises.
Federal Bureau of Investigation (FBI). The FBI encourages victims of internet crimes to contact an FBI field office. Crime complaints can also be made to the bureau’s Internet Crime Complaint Center (IC3) at www.ic3.gov.
Utilities in Australia may report incidents to CERT Australia, which is a division of the Australian Cyber Security Centre, by calling 1300-CYBER1 or emailing email@example.com.
Utilities in Canada may report incidents to the Canadian Cyber Incident Response Centre by calling 1-833-CYBER-88 or by emailing firstname.lastname@example.org.