Cyberattacks on critical infrastructure in the US continue to be a major concern and present a potential disruption to the critical work that water and wastewater systems provide for their communities. On October 12, 2023 the US EPA withdrew their Cybersecurity Rule citing legal challenges. However, cybersecurity planning and preventing attacks continues to be a central focus of the federal government. EPA and CISA continue to provide technical support to water systems. Regardless of federal requirements, the division wants to emphasize the significant financial and operational risks that cyberattacks pose to systems. The division continues to partner with state and federal entities to provide cybersecurity planning tools, resources, training opportunities, and self-evaluations.
Who is vulnerable?
According to a recent Waterfall Security Report, in 2022 the critical infrastructure sector experienced a 140% surge in cyberattacks resulting in more than 150 incidents. The majority of these assaults were in the form of ransomware, encrypting critical computer systems and invaluable data across Informational Technology (IT) networks. However, the attacks impacted operational technology (OT) as well. Any system that uses OT and or IT is vulnerable to cyberattacks. These attacks can negatively affect treatment, distribution, collections, administrative support, and financial/billing systems. These effects can impact your ability to protect public health and the environment and often cost large sums of money. Here are some examples of OT and IT:
- OT = Industrial Control System (ICS), Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controllers (PLCs),Remote terminal units (RTUs), Internet of things (IoT) devices, Industrial internet of things (IIoT) devices, also known as Industry 4.0, building management systems, fire control systems, and physical access control mechanisms.
- IT = Laptops, Desktops, Tablets, servers, computer hardware, software, electronics, semiconductors, internet, telecom equipment, and e-commerce.
What are some basic steps you can take to protect your system?
Regardless of the size of your system or the scope of your technology use. please take the following basic cybersecurity steps at your facility to help prevent cyberattacks:
- Change passwords regularly (at least once every 3 months).
- Use multi-factor authentication for access.
- Take away system access when staff leave the utility.
- Implement regular staff training on cybersecurity fundamentals (especially how to recognize phishing attempts).
- System maintenance
- Do frequent back-ups
- Keep up to date with software and install patches
According to EPA and CISA, taking these low-cost steps can prevent many cyberattacks.
In addition to the above basic preventive measures you and your system can explore the many available free cybersecurity tools and resources:
- CDPHE Security Toolbox: The department gathered resources to help your system prepare for and respond to cyber and physical security incidents.
- WQCD Guidance: Respond and Report Cyberattacks can be used when your water/wastewater facility experiences a cybersecurity event. It outlines what steps to take, the required steps to report the event, and what to expect after reporting the event.
- Self-Assessment: EPA self assessment resources and Water Cybersecurity Assessment Tool (WCAT)
- Third-Party Assessment: EPA’s Water Sector Cybersecurity Evaluation Program and Colorado Information Analysis Center Cyber Assistance
- EPA Cybersecurity Technical Assistance Program for the Water Sector
- EPA Cybersecurity Incident Action Checklist
- EPA collection and explanation of cybersecurity funding opportunities
Thank you for all that you and your system do to protect the public health and environment of Colorado’s communities! Please reach out to the division’s security contact kyra.gregory@state.co.us with any questions.
➽ Heather Young Field Services Section Manager
➽ Kyra Gregory Drinking Water Training Specialist
