CISA Releases Cyber Risk Summary for Water and Wastewater Services Sector

Report identifies trends based on information collected from water and wastewater entities in FY 2021

WASHINGTON, D.C. — On March 23, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) released the attached summary outlining findings from its Cyber Hygiene (CyHy) Vulnerability Scanning and Cybersecurity Assessments services. Identified trends are based on information collected from 44 Water and Wastewater Services (WWS) entities in fiscal year 2021.

• 34.7% of scanned WWS Sector entities used a potentially exposed risky service, such as Remote Desktop Protocol (RDP), on internet-accessible hosts, which can provide initial access and communication channels for command and control, and data exfiltration.

• 16.3% of the scanned WWS Sector entities ran unsupported Windows operating systems (OSs) on at least one internet-accessible host by the end of FY21.

• From October 2020, to September 2021, newly enrolled WWS Sector entities in CyHy VS reduced their active vulnerabilities by an average of 37.5% within the first three months.

• By the end of FY21, all identified known exploited vulnerabilities (KEVs) were remediated, likely decreasing risk of compromise of some WWS entities.

In addition to identifying vulnerabilities, the report provides a number of recommendations to reduce risks, including:

• Prioritize remediation of vulnerabilities using a risk-based approach that considers likelihood of attack, ease of exploitation, and the magnitude of probable impact.

• Securely configure internet-accessible ports and services on systems and devices by implementing strong identity and access management controls, including strong passwords, multifactor authentication (MFA), and the principle of least privilege.

• Update legacy software and OSs to supported versions in a timely manner and within organizational constraints.

• Segment control system networks and remote devices from organizational network.

• Use the Secure Shell (SSH) Protocol for remote access and virtual private network (VPN).

If you have any feedback regarding this product, please fill out the CISA Product Survey.