Last week classes for elementary schools, high schools and a community college in Boston were canceled due to a cyberattack.1 Last month an Arkansas school district approved a payment of $250,000 to cybercriminals to retrieve stolen data.2 Similar attacks were reported in at least 90 other schools and universities last year, about the same as in the previous year.3
According to the United States Government Accountability Office, the impact of cyberattacks during 2018-2021 for K-12 schools included loss of learning from three days to three weeks, with recovery time ranging from two to nine months.4 Furthermore, there are no official channels to coordinate the efforts of the three federal agencies that are trying to help.
Cybercriminals are also tearing apart our local governments. A week ago, the Housing Authority of the City of Los Angeles confirmed that they are working through a “cyber event”5 involving the release of personal information on a dark web leak site. This pales in comparison to the 2018 cyberattacks in Baltimore and Atlanta that cost millions to remedy.6
In December 2022 the New York Times published an article summing up the impact cybercriminals have had during this time span.7 Since 2017, more than 3,600 local, state and tribal governments have been targeted by ransomware hackers, according to the Multi-State Information Sharing and Analysis Center, which comprises 13,000-plus members.
While these entities above fall into at least two of the sixteen sectors considered critical infrastructure (CI) – emergency services and government facilities – guidance for their cybersecurity programs has been limited due to budget constraints, an evolving threat landscape and the disparate roles of special districts within some local governments.
It is pertinent to note that since the “Executive Order on Improving the Nation’s Cybersecurity” was issued in May 2021, several events have taken place to get things moving in the Water and Wastewater Systems (WWS) sector, given that safe drinking water “is a prerequisite for protecting public health and all human activity” and “is essential to modern life and the Nation’s economy.”8
In 2021, cybercriminals hacked into a water treatment facility in Florida and increased chemical levels one hundred times their normal levels. Several months later in Utah, cybercriminals hacked into a regional water district and demanded a ransom payment. Fortunately, none of these events affected the public health.9
Crises were averted in Florida and Utah due to the unclear and uncoordinated motives of the threat actors. Nevertheless, these events underscored the vulnerabilities present in the WWS and their industrial control systems (ICS). ICS is used to describe the devices, systems, networks and controls used to operate and/or automate industrial processes.
As with the Energy and Transportation sectors previously highlighted,10 foundational requirements to combat cyberattacks for the WWS sector were also released as part of the Cybersecurity and Infrastructure Security Agency’s (CISA) Unified Initiative Plan for 2019-2023.11 In December 2021, the White House began seeking input from WWS participants.
Earlier in November 2022, the National Cybersecurity Center for Excellence and the National Institute of Standards and Technology issued draft cybersecurity guidelines for the WWS sector seeking input from WWS participants. The goal was to create a mitigation strategy that will allow threats to be contained without compromising water pipelines.12
The draft guidelines, titled Securing Water and Wastewater Utilities, is an outline of fifteen fundamentals for the WWS cybersecurity including specific references to written information security program (WISP), incident response plan (IRP) requirements, myriad processes for mitigating threats and deploying security enhancements.
As recommended during October, Cybersecurity Awareness Month,13 we recommend that Emergency Services, Government Facilities and WWS organizations (1) refine their Cybersecurity Incident Response Plans, (2) revisit their Cybersecurity Risk Assessments and (3) realign their Written Information Security Programs, to be consistent with the pending requirements.14
In addition, if they haven’t done so already, WWS sector entities should consider joining the sector’s information sharing and analysis center.15 This will enable them to train all employees on the pending cybersecurity standards. These standards will soon be released now that the public comment period for Securing Water and Wastewater Utilities has ended.