Protecting Critical Infrastructure for Local Governments

Protecting Critical Infrastructure for Local Governments

“Disabling cyberattacks are striking water and wastewater systems throughout the United States.” (White House letter March 18, 2024)

State leaders in water and wastewater management have always known the value of protecting critical infrastructure and the potential societal and health risks associated with these systems when targeted by nation states or cyber criminals. Disruptive cyberattacks from adversarial nation states have resulted in efforts by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), U.S. Environmental Protection Agency (EPA), and other federal entities issuing numerous cyber-attack advisories related to water and wastewater networks and process control systems targeted by malicious cyber actors.

The EPA, FBI and CISA have all been working together to support and educate the water and wastewater management sector as part of their efforts to reduce risks across the 16 critical infrastructure sectors. The EPA released a new cybersecurity risk assessment resource for water and wastewater systems in partnership with CISA and the FBI, providing an incident response guide for the sector. The agency also posted on their site that 70% of the systems they have inspected since September 2023 are in violation of the basic Safe Drinking Water Act (SDWA) Section 1433 requirements including missing specific sections of their Risk and Resilience Assessments (RRAs) and Emergency Response Plans (ERPs). In some cases, while on site, the EPA inspectors “identified alarming cybersecurity vulnerabilities at drinking water systems across the country.”

On April 30, 2024, the Federal Government stepped into the conversation with the release of NSM-22 National Security Memorandum on Critical Infrastructure Security and Resilience.

This memorandum addresses:

  • Shared Responsibility – Securing critical infrastructure is a public-private responsibility shared by Federal, State, local, Tribal and territorial entities, and the owners and operators of critical infrastructure.
  • Risk-Based Approach – Risk assessments must consider all threats and hazards, likelihood, vulnerabilities and consequences.
  • Minimum Requirements – Federal, State, local, Tribal, and territorial regulatory and oversight entities have a responsibility to prioritize establishing and implementing minimum requirements for risk management.
  • Accountability – Accountability mechanisms should continuously evolve to keep pace with the Nation’s risk environment.
  • Information Exchange – The Federal Government will support a robust information sharing environment and public-private cooperation that enables actions and outcomes that reduce risk.
  • Expertise and Technical Resources – The Federal Government will leverage expertise and technical resources from all relevant Federal departments to mature the capacity and capability of each effort.
  • International Engagement – Recognizing the interconnectedness of global infrastructure, the government will work closely with international partners to strengthen the security and resilience.
  • Policy Alignment – Efforts to safeguard critical infrastructure will be fully integrated and coordinated with complementary Federal policies and frameworks, including domestic incident management and national preparedness.

Response Needed by June 28, 2024 – What’s Your Plan?

A memo from the National Security Advisor to the Governors is asking for a response to the memo outlining the Cybersecurity Water System Action Plan from each state by June 28, 2024. If putting together a plan seems daunting, Red River can help you assess your current situation and determine the appropriate path forward ensuring an affordable, scalable response that supports continuous operations in a secure environment.

The Red River Cybersecurity Practice can support your organization by providing the guidance, tools, training and technical assistance needed to assess, architect, optimize, plan, and operationalize your cybersecurity strategy. We partner with all major OEMs and can provide assessments, professional Services and Managed Services to ensure your cybersecurity needs are addressed and goals are achieved.

For more information and to get started on a plan contact us with the form below.