CISA announces free security scans for public water utilities

The U.S. Cybersecurity and Infrastructure Security Agency is offering free security scans for critical infrastructure facilities, such as water utilities, to help protect them from cyberattacks.

The midweek announcement comes as water treatment facilities across the country have suffered from rising security threats over the past two years, including a recent attempt to compromise the safety and protection systems of the water treatment facility in Discovery Bay, California, by a former employee of one of the plant’s vendors.

In 2021, CISA and other agencies, including the FBI, Environmental Protection Agency and National Security Agency, issued a joint advisory report documenting the ongoing cybersecurity vulnerabilities in water systems nationwide, which “threaten their ability to provide potable water and effectively manage their wastewater.”

Drinking water and wastewater systems often offer public-facing applications that can be vulnerable to attack, potentially disrupting or halting operations.

CISA agents run specialized scanners to identify a facility’s vulnerabilities and weak configurations in internet-exposed endpoints, commonly used for initial access by threat actors and some ransomware groups.

Depending on the severity of flaws and vulnerabilities found, reports are generated within one to six days. The federal agency sends weekly reports with recommendations, while further scans determine if the water utilities have taken the steps to solve previously disclosed issues.

CISA’s new no-cost scanning program was co-developed with the EPA, the Water Sector Coordinating Council and the Association of State Drinking Water Administrators. CISA encouraged all drinking water and wastewater system operators to enroll in the service.

In the announcement, CISA said it aims to significantly reduce identified vulnerabilities in the first few months of security scans.