CISA’s Incident Response Guide outlines ways in which WWS owners and operators can engage with federal agencies to prepare for, mitigate, and respond to cyber incidents, including best practices for incident response and information about federal roles, resources, and responsibilities at each stage of the response lifecycle.

In January, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), along with Chris Wray, director of the Federal Bureau of Investigation (FBI), testified before Congress about the growing threat of Chinese cyberattacks against U.S. critical infrastructure. Director Easterly testified that “CISA teams have found and eradicated Chinese intrusions into critical infrastructure across multiple sectors, including aviation, energy, water, and telecommunications.” Director Easterly continued, stating, “Given the malicious activity uncovered by CISA, NSA, FBI, and industry partners, we are acting now, knowing that this threat is both real and urgent.”

In an effort to respond to this urgent threat, CISA—in collaboration with FBI and Environmental Protection Agency (EPA)—issued the Water and Wastewater Sector – Incident Response Guide (pdf). The Incident Response Guide was released, in part, to help owners and operators in the Water and Wastewater (WWS) sector, a key component of U.S. critical infrastructure, defend against threat actors seeking to disrupt water operations.

The guidance comes as a result of documented cyberattacks targeting WWS entities where threat actors deployed ransomware and attempted to tamper with the normal operations of facilities. In other instances, state-sponsored hackers compromised devices used at utilities. A recent analysis by the International Energy Agency found the number of cyberattacks on utilities more than doubled between 2020 and 2022 and currently averages more than 1,100 attacks per week.

Another motivating factor for the release of the Guide appears to be a report issued by the Department of Homeland Security’s Inspector General (IG). The DHS IG report (pdf) found that CISA’s engagement with the WWS sector was “lacking” and recommended CISA take steps to improve its collaboration with the EPA and the water sector “to leverage and integrate its cybersecurity expertise with stakeholders’ water expertise.”

According to the report, representatives from the WWS sector advised the DHS IG that they generally “did not have a good understanding of CISA’s products and services, which limited their ability to communicate what was available to their member organizations and resulted in potential missed opportunities to mitigate cyber risks.” In addition, officials highlighted that communications from CISA and EPA on cybersecurity were incoherent.

CISA agreed with the findings of the DHS IG report, stating it would address the cited deficiencies and work to improve coordination and engagement with the WWS sector. The Incident Response Guide is part of that effort.

Overview of the WWS Incident Response Guide Recommendations

According to the Guide, CISA—in conjunction with the FBI and EPA—advises water facilities to take specific steps during each stage of the four stages of the incident response lifecycle. For context, the four stages include:

  1. Preparation
  2. Detection and analysis
  3. Containment, eradication, and recovery
  4. Post-incident action

For preparation, the Guide advises the WWS sector to develop an incident response plan, implement available services and resources to raise their cyber baseline, and engage with the WWS Sector cyber community.

For detection and analysis, the Guide identifies two critical components for a robust incident response: (1) accurate and timely reporting and (2) rapid collective analysis. These components help affected organizations understand the “full scope and impact of a cyber incident.”

Containment, Eradication and Recovery Recommendations

For containment, eradication and recovery, the Guide recommends owners and operators in the WWS sector conduct their incident response plan while federal partners focus on “coordinated messaging and information sharing, and remediation and mitigation assistance.” Typical information shared with, or by, CISA during incident response efforts includes:

  • Relevant adversary tactics, techniques, and procedures
  • Relevant indicators of compromise
  • Other relevant technical data that utilities or their third-party service providers can utilize in their organizational-level response

Depending on the type of cyber incident, CISA may be able to provide guidance to WWS utility owners and operators regarding “defensive measures” that can be taken to “contain and eradicate unauthorized threat actors within their assets” including software vulnerability mitigation and adversary countermeasures and eviction.

Post-Incident Recommendations

For post-incident action, the guide recommends all relevant partners “conduct a retrospective analysis of both the incident and how responders handled it.” This summation of post-incident activities should culminate into “lessons learned.”

In addition to the recommendations in the Guide, CISA encourages WWS utilities to collaborate with federal partners—including CISA, FBI, EPA, the Office of the Director of National Intelligence (ODNI), and the DHS Office of Intelligence and Analysis (I&A)—before, during, and following a cyber incident.

Incident Reporting Will Remain in the Spotlight

Accurate and timely reporting of cyber incidents is likely to be a top priority for critical infrastructure entities due to the impending rulemaking deadlines cited in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

CISA, in accordance with CIRCIA, is required to publish a notice of proposed rulemaking for incident reporting requirements by March 2024. CISA will then have another 18 months to finalize the CIRCIA rules. Once in effect, critical infrastructure entities will be obligated to report cyber incidents to CISA within 72 hours and to report ransomware payments to the agency within 24 hours. The Guide tacitly acknowledges the ever-changing incident reporting obligations imposed by various regulatory entities by stating that the reporting landscape is “constantly evolving.” In addition, the Guide includes a disclaimer advising that it “is not intended to provide a comprehensive overview of all possible reporting channels.”

If you need help developing an incident response plan, implementing CISA’s guidance, or complying with state and federal incident notification requirements, contact a member of the WRVB Cybersecurity & Data Privacy team. Our team has knowledge and experience advising clients across industries, including energy, healthcare, banking/finance, technology, manufacturing, and municipal sectors.