The water and wastewater sector is grappling with cybersecurity challenges that leave it vulnerable to attacks, the U.S. Cybersecurity and Infrastructure Security Agency warned in Thursday guidance, citing variable cyber maturity levels and solutions beyond the reach of tightly budgeted communities.

See Also: OnDemand | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding

The U.S. cyber defense agency published a joint incident response guide with the Environmental Protection Agency and FBI that aims to help water and wastewater systems develop incident response plans and improve practices for sharing information with the federal government.

The agencies urge owners and operators of water and wastewater systems to develop organizational-level incident response plans, establish strong cybersecurity baseline standards and enhance information-sharing measures.

Its publication comes just days after the Department of Homeland Security Office of Inspector General recommended CISA improve its coordination with the EPA in supporting water and wastewater sector cybersecurity efforts. The report says “CISA officials acknowledged the need to improve its collaboration with EPA and produce better products for the water sector.” (See: US CISA Must Improve Water Sector Assistance, Says Watchdog.)

“Cyber threat actors are aware of – and deliberately target – single points of failure,” the guidance states. “A compromise or failure of a water and wastewater sector organization could cause cascading impacts throughout the sector and other critical infrastructure sectors.”

The incident response guide aims to provide organizations with best practices for all four stages of the incident response life cycle – from preparation through detection, recovery and post-incident activities. The guidance says “the cyber incident reporting landscape is constantly evolving” and encourages water sector officials to review their reporting obligations and “consider engaging in additional voluntary reporting and/or information sharing” measures.

Eric Goldstein, CISA’s executive director for cybersecurity, said in a statement announcing the joint guidance that the U.S. water and wastewater sector “is under constant threat from malicious cyber actors.”

“In the new year, CISA will continue to focus on taking every action possible to support ‘target-rich, cyber-poor’ entities like WWS utilities by providing actionable resources and encouraging all organizations to report cyber incidents,” he said.

CISA has been working to improve federal cybersecurity support for the water and wastewater sector in recent years. In 2022, it released an Industrial Control Systems Cybersecurity Initiative with the EPA that aimed to produce “high-impact activities that can be surged to safeguard water resources by improving cybersecurity across the sector.” Those steps included establishing a task force of water sector leaders, experimenting with new pilot projects and improving information-sharing and data analysis efforts (see: CISA, EPA Issue 100-Day Cyber Plan for Water Utilities).

The guidance says the U.S. water and wastewater sector is “large and complex,” with nearly 50,000 water systems across the country and over 16,000 publicly owned wastewater treatment systems. The sector includes a diverse network of owners and operators ranging from municipal authorities to private entities, which adds more complexity to the challenge of providing universal cybersecurity standards and regulations.