The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has launched a complimentary security scanning service for key infrastructure establishments like water utilities, aiming to bolster their defenses against cyber infiltrations.
This initiative is a collaborative effort between the Environmental Protection Agency (EPA), Water Sector Coordinating Council (WSCC), and the Association of State Drinking Water Administrators (ASDWA). It extends an invitation to operators of drinking water and wastewater systems to participate in the program.
The program description states, “By conducting external scans of your networks, you can minimize the cyberattack risk at your utility, particularly vulnerabilities stemming from publicly accessible devices.”
“CISA offers a free vulnerability scanning service subscription to aid your drinking water and wastewater system in spotting and rectifying vulnerabilities.”
Strengthening Water Utilities
The procedure involves CISA personnel utilizing specialized scanning tools to pinpoint a facility’s internet-accessible endpoints, and to uncover any vulnerabilities or incorrect configurations in those areas, which are known to be targeted by cyber adversaries.
Following the scanning, CISA provides weekly reports comprising actionable suggestions, with subsequent scans assessing whether the water utilities have implemented the necessary measures to address the previously identified issues.
In cases of critical severity flaws or actively exploited vulnerabilities, initial reports are generated within a 24-hour timeframe, and follow-up scans are conducted every 12 hours.
For less critical flaws, the reassessment occurs within a period of 1 to 6 days, contingent on the severity level of the identified issues.
CISA emphasizes that the automated scanning tools are designed to avoid accessing private networks or making any alterations, thereby eliminating the risk of data exposure for the involved parties.
To join the program, interested utilities can reach out via email to vulnerability@cisa.dhs.gov, with the subject line “Requesting Vulnerability Scanning Services.” The email should include the utility’s name and address, and a CISA representative will respond with further instructions.
The move to enhance the cybersecurity of water treatment facilities comes in the wake of recent security breaches, drawing attention to the importance of safeguarding these critical infrastructures.