- The National Institute of Standards and Technology (NIST) is seeking public comment from stakeholders in the water and wastewater industries on a plan to protect thousands of facilities from future cyberattack.
- NIST’s National Cybersecurity Center of Excellence on Wednesday asked water utilities of all sizes to weigh in by Dec. 19 on a project designed to boost the industry’s cyber resilience. It will later result in a notice in the Federal Register.
- Drinking water and wastewater treatment facilities are increasingly vulnerable to cyberattacks, the agency said, as facilities become more dependent on connected systems. The project would secure remote access and network segmentation.
The security of the water and wastewater treatment industry has become a priority of federal regulators, particularly since the high-profile attack against an Oldsmar, Florida water treatment facility in February 2021 when a hacker tried to remotely poison the local water supply.
Federal authorities in late 2021 issued warnings about potential cyberattacks aimed at water and wastewater facilities. In separate attacks during the summer of 2021, threat actors used Ghost variant and ZuCaNo ransomware to launch attacks against facilities in California and Maine, respectively.
The Cybersecurity and Infrastructure Security Agency late last month said the security of water and wastewater treatment facilities would be among priority areas of focus. The Biden administration has rolled out plans to secure key providers of critical infrastructure.
The National Association of Water Companies sees water and wastewater treatment facilities as a national security concern. However, the industry group concedes there is a sophistication gap between large and small providers in terms of their ability to manage cyber threat activity.
“NAWC and its member companies have long supported state and federal initiatives aimed at driving uniform cybersecurity compliance and enforcement for all drinking water and wastewater system operators,” Robert Powelson, president and CEO of NAWC, said in an emailed statement. “We believe this is critical to defending the nation’s water and wastewater from cybersecurity attacks.”
While the organization is in full support of these efforts, Powelson said they hope the end result amounts to more than just guidelines and recommendations for these providers.
“We must establish compliance standards and audit implementation of those standards to truly protect the water and wastewater sector,” he said.