(Update February 27, 2024) Passthrough: Top Cyber Actions for Securing Water Systems – Joint Fact Sheet by CISA, EPA, and FBI
Created: Tuesday, February 27, 2024 - 17:22
Categories: Cybersecurity, Federal & State Resources, OT-ICS Security
CISA and partners updated the recent Fact Sheet – Top Cyber Actions for Securing Water Systems – with resources from water and wastewater systems sector organizations, including WaterISAC. The resources are intended to help support water systems in defending against malicious cyber activity. They include:
- WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities provides an overview of cybersecurity measures with resources to accompany each measure for deeper exploration.
- The American Water Works Association’s (AWWA’s) Water Sector Cybersecurity Risk Management Guidance and Risk Management Tool can help a utility examine which cybersecurity controls and practices are most applicable based on the technology applications they have implemented.
- AWWA’s Water Sector Cybersecurity Risk Management Guidance for Small Systems is a getting started guide that helps small, rural utilities (who serve <10,000 people) assess and implement cyber best practices.
- The MS-ISAC’s Center for Internet Security Risk Assessment Method (CIS RAM) is an information security risk assessment method that helps organizations implement and assess their security posture against the CIS Critical Security Controls (CIS Controls) cybersecurity best practices. The CIS RAM Family of Documents provides instructions, examples, templates, and exercises for conducting a cyber risk assessment.
02/22/2024
Yesterday, CISA, the FBI, and the EPA released a joint fact sheet titled: Top Cyber Actions for Securing Water Systems – Free Services, Resources, and Tools for the Water and Wastewater Systems Sector. It includes contributions from sector entities, including WaterISAC.
The fact sheet outlines eight specific actions water and wastewater systems can take to reduce risk and improve resilience to malicious cyber activity and provides free services, resources, and tools to support each action. These actions include:
- Reduce Exposure to the Public-Facing Internet
- Conduct Regular Cybersecurity Assessments
- Change Default Passwords Immediately
- Conduct an Inventory of Operational Technology/Information Technology Assets
- Develop and Exercise Cybersecurity Incident Response and Recovery Plans
- Backup OT/IT Systems
- Reduce Exposure to Vulnerabilities
- Conduct Cybersecurity Awareness Training
WaterISAC urges members to review this fact sheet and the specific guidance provided for each of the actions listed above. For additional sector resources, visit CISA.gov/water.