The program was co-developed with the Environmental Protection Agency (EPA), Water Sector Coordinating Council (WSCC), and the Association of State Drinking Water Administrators (ASDWA), and it asks for all drinking water and wastewater system operators to sign up for the program.

"You can reduce the risk of a cyberattack at your utility by externally scanning your networks for vulnerabilities caused by publicly facing devices." reads the program's description

"(CISA) can help your drinking water and wastewater system identify and address vulnerabilities with a no-cost vulnerability scanning service subscription."

The program works by having CISA's agents run specialized scanners that identify a facility's internet-exposed endpoints and discover vulnerabilities or misconfigurations in those known to be exploited by hackers.

CISA then sends weekly reports with action recommendations, while subsequent scans determine if the water utilities have taken the required steps to mitigate previously disclosed problems.

Weekly scan report sample

Weekly scan report sample (CISA)

For critical severity flaws and vulnerabilities known to be actively exploited, initial reports are generated within 24 hours, and re-scans are performed every 12 hours.

For lower risky flaws, the re-evaluation takes place between 1 and 6 days, depending on the severity rating of the discovered problems.

The cybersecurity agency notes that its automated scanners will not access private networks, nor can they perform any changes, so there's no risk of data exposure for the stakeholders.

Operational phases

Operational phases (CISA)

To enroll in the program, email [email protected] with the subject line "Requesting Vulnerability Scanning Services," including the utility's name and address, and a CISA agent will reply with guidance on the following steps.

The security of water treatment facilities has come under the spotlight recently due to recent breaches.

Rambler Gallo's deliberate attempt to compromise the Discovery Bay Water Treatment Facility in California illustrates the dangers posed by inadequate access management, which extended to the health and safety of 15,000 residents.

As the U.S. Water and Wastewater Systems (WWS) reports a rise in ransomware attacks on public utilities, it's clear that securing water utilities is not only a public health priority but also crucial for national security.