NIST wants to help prevent a major cyberattack on the water sector
The National Institute of Standards and Technology aims to provide a practical guide to address unique cyber challenges impacting America’s complex water systems.
The National Institute of Standards and Technology is wading into the water sector with its first-ever cybersecurity framework designed specifically for water infrastructure.
NIST’s National Cybersecurity Center of Excellence is seeking input from technology vendors, water sector members and other key stakeholders on a new practical reference design for mitigating cyber risks in water and wastewater systems.
Jim McCarthy, a NIST senior security engineer and the lead federal researcher for the project, told Nextgov/FCW that the goal is to provide the water and wastewater sector with practical examples of commercial tools and technologies that can be used to prevent major cyber intrusions.
“Given this is our first project in the water and wastewater sector, we want to create cybersecurity guidance that is comprehensive and useful to small, medium and large utilities,” McCarthy said. “We want to increase cybersecurity for the sector by showcasing cybersecurity capabilities.”
The project is expected to feature a reference design and a detailed implementation guide that addresses four main cybersecurity challenges across the water and wastewater sector, including asset management, data integrity, remote access and network segmentation.
NIST will select partners from among cybersecurity firms, as well as water and wastewater sector members with relevant cybersecurity solutions, to enter into consortium Cooperative Research and Development Agreements. The selected collaborators will then provide examples of cybersecurity solutions and technical expertise to NIST that can be leveraged for a publicly available Cybersecurity Practice Guide, expected to be published sometime next year.
NIST issued a Federal Register Notice this month that identified several unique challenges in protecting critical infrastructure across the water and wastewater sector, such as utilities covering a geographically diverse area while typically featuring a complex distribution of networks and infrastructure.
The project specifically calls for solutions that can provide automation capabilities to establish a baseline security posture, monitor operational technology environments to detect potential data integrity violations and establish controlled remote access to OT assets outside of the operational environment. NCCoE is also seeking technology solutions that can provide enhanced network segmentation capabilities to more effectively manage access to isolated network subsets.
As the sector risk management agency tasked with overseeing cybersecurity efforts across the water and wastewater sectors, the Environmental Protection Agency has taken recent steps to improve the sector’s overall cyber posture. The agency issued a series of mandates earlier this year for water systems to begin implementing adequate security measures that align with the White House national cybersecurity strategy.
But with more than 50,000 drinking water and nearly 16,000 wastewater systems across the country, the sector has consistently been recognized as a weak link in the nation’s critical infrastructure security posture.
NIST launched the new public-private sector collaboration following several recent reports that pointed to systemic cybersecurity concerns across the water and wastewater sector. A report published last year by the Foundation for the Defense of Democracies, a non-profit research institute, identified “significant cybersecurity deficiencies” throughout the sector, as the Cyberspace Solarium Commission said in a review “that there is insufficient coordination between the EPA and other stakeholders in water utilities’ security.”
McCarthy noted that the forthcoming guidance is “not specifically designed to satisfy compliance requirements,” but rather to identify commercial solution providers and to offer a framework for water and wastewater sector owners and operators aiming to improve their overall cyber posture.