Water and Wastewater Recommendations and Resources
The Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the Federal Bureau of Investigation (FBI) released a joint fact sheet outlining the cyber actions that water and wastewater sector entities can take to reduce risk and improve resilience to malicious cyber activity reduce overall vulnerability:
- Reduce Exposure to the Public-Facing Internet. Use cyber hygiene services to reduce exposure of key assets to the public-facing internet.
- Conduct Regular Cybersecurity Assessments. Conduct a cybersecurity assessment on a regular basis to understand and prioritize existing vulnerabilities.
- Change Default Passwords Immediately. Require unique, strong, and complex passwords for all water systems, including connected infrastructure. Do not use default passwords. Consider implementing multi-factor authentication (MFA) where possible.
- Conduct an Inventory of Operational Technology (OT)/Information Technology (IT) Assets. Create an inventory of software and hardware assets, which will help the security team understand what needs to be protected.
- Develop and Exercise Cybersecurity Incident Response and Recovery Plans. Develop and exercise cybersecurity incident response and recovery plans, including defined incident response actions, roles, and responsibilities, as well as who to contact and how to report a cyber incident.
- Backup OT/IT Systems. Regularly backup OT/IT systems so they can be recovered to a known and safe state in the event of a compromise. Test backup procedures and isolate backups from network connections.
- Reduce Exposure to Vulnerabilities. Mitigate known vulnerabilities, especially known exploited vulnerabilities, and keep all systems up to date with patches and security updates.
- Conduct Cybersecurity Awareness Training. At a minimum, conduct annual cybersecurity awareness training to help all employees understand the importance of cybersecurity and how to prevent and respond to cyberattacks.