Navigating Federal Cybersecurity Recommendations for Public Water Utilities: How Tenable Can Help

Cyberthreats to water and critical infrastructure have prompted the EPA to recommend states use the increased funding provided in the Bipartisan Infrastructure Bill for the Drinking Water State Revolving Fund to bolster their cybersecurity defenses. Here’s what you need to know — and how Tenable can help.

It’s been nearly 18 months since the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Environmental Protection Agency (EPA) issued a joint Cybersecurity Advisory warning that U.S. water and wastewater systems were being targeted by malicious actors. In February 2021, attackers attempted to poison the water treatment system in Oldsmar, FL. The U.S. Environmental Protection Agency (EPA) has said it is “critical” for such facilities to implement cybersecurity best practices. 

Cyberattacks against public water supplies are certainly not unique to the U.S. For example, U.K. water supplier South Staffordshire PLC was the victim of a ransomware attack in August 2022. Yet, the unique nature of U.S. systems — which are managed by a patchwork of state and local governments and private-sector entities — makes shoring up their cybersecurity particularly challenging.

In its “Water Sector Cybersecurity Brief for States,” the EPA recommends that all drinking water and wastewater utilities take mitigation actions, including:

• prioritizing the remediation of known exploited vulnerabilities;
• enabling and enforcing multifactor authentication with strong passwords;
• closing unused ports; and
• removing any unnecessary applications.

It is also expected that the EPA will soon require states to expand inspections to include cybersecurity threats for about 1,600 water systems.

Aging systems, known vulnerabilities increase cyber risk

As the October 2021 joint advisory notes, the municipalities that operate water systems often lack the resources to employ “consistently high cybersecurity standards,” which may contribute to the use of “ unsupported or outdated operating systems and software.” According to the joint advisory, these outdated systems, control system devices or firmware versions expose water system networks to “publicly accessible and remotely executable vulnerabilities. Successful compromise of these devices may lead to loss of system control, denial of service, or loss of sensitive data.”

Ransomware is a particular area of concern. A joint Cybersecurity Advisory issued on November 17, 2022, warns that ransomware actors are targeting a wide range of businesses and critical infrastructure sectors.

“EPA encourages states to utilize the significant increase in SRF funding for infrastructure projects that make water systems more resilient to all threats — whether it is natural disasters, climate change, or threats such as bioterrorism and cyberattacks.”

The Drinking Water State Revolving Fund (DWSRF), established as part of the Safe Drinking Water Act in 1996, provides financial assistance to publicly owned and privately owned water systems for drinking water infrastructure projects. An additional $11.7 billion for DWSRF was provided in the Bipartisan Infrastructure Law, signed in November 2021. The funds, available for fiscal years 2022-2026, represent the largest investment in U.S. water infrastructure in history. EPA's Fact Sheet, "Bipartisan Infrastructure Law: State Revolving Funds Implementation Memorandum" expressly states, “EPA encourages states to utilize the significant increase in SRF funding for infrastructure projects that make water systems more resilient to all threats — whether it is natural disasters, climate change, or threats such as bioterrorism and cyberattacks.” EPA also details how the DWSRF may be used to support state programs and communities with cybersecurity measures in the Fact Sheet, “Supporting Cybersecurity Measures with the Drinking Water State Revolving Fund,".

How Tenable enables water utilities to identify and prioritize vulnerabilities

Tenable has extensive experience helping water and wastewater services protect their network-connected devices. Our solutions enable users to gain complete visibility of the converged IT and operational technology environment to build an accurate asset inventory, identify vulnerabilities and prioritize risks based on asset context.

For example, The City of Raleigh now spends less time on inventory management and more time investigating threats and remediating vulnerabilities in its water systems thanks to Tenable.ot. Tenable’s advanced threat detection engine identifies suspicious activity at the network and device layer, notifying security teams via easy-to-read enterprise security dashboards, enabling quick responses to cyberthreats. Tenable maintains audit logs, monitoring operational technology devices for configuration changes in order to identify accidental or malicious changes, ensuring systems meet corporate policy and compliance requirements.

Tenable is a market leader in industrial control systems (ICS) security and the trusted name in cybersecurity by more than 40,000 customers worldwide. Backed by Tenable’s research team, the leader in vulnerability coverage, and patented active query technology, public water systems can rely on Tenable to stop threat actors before they can disrupt critical water services.

Learn more

• Webinar: In the Face of EPA Recommendations, Get Expert Guidance for Funding and Effectively Strengthening Your Water Utility's Cyber Defenses
• Protecting Public Water Systems from Cyberattacks
• Tenable OT Security Solutions for Water Utilities
• Forrester Wave Report for Industrial Control Systems (ICS) Security Solutions
• City of Raleigh Case Study
• State and Local Cybersecurity Grant Program (SLCGP)