Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: NCCoE requests comments on cybersecurity for water and wastewater sector

On June 12, 2024, the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) requested public comments on NIST TN 2283 ipd Cybersecurity for the Water and Wastewater Sector: Build Architecture. The guide highlights best practices, guidance, and solutions for cybersecurity in water and wastewater systems (WWS).

What are the potential risks?

Specifically, the guide first considers asset management, with cybersecurity risks to WWS facilities including the use of devices and equipment provided by external vendors, automatic update installation being disabled, and devices that are no longer in active use, such as smart Internet of Things (IoT) devices.

Secondly, the guide highlights risks to data integrity, including data in transit that is not encrypted allowing for cleartext transmissions, direct monitoring of system activity, and the provision of updates and changes by third-party integrators that have not been verified.

The guide also details the risk of remote access to networks through the use of well-known usernames and passwords, remote access to broad areas of operational technologies, and remote access without the use of multifactor authentication.

Finally, the guide notes the risks associated with network segmentation, such as the absence of a disconnect between industrial control systems and the general network, and access to critical equipment for plant operations from unsecured terminals.

What are the potential solutions?

The guide subsequently details cybersecurity capabilities intended to address the four risk areas above. In addition, the guide provides examples of relevant standards and guidance applicable to WWS, including:

  • NIST Framework for Improving Critical Infrastructure Cybersecurity;
  • NIST SP 800-82r2 IPD Guide to Operational Technology (OT) Security; and
  • American Water Works Association (AWWA) Cybersecurity Risk Management Tool.

Public comments can be submitted here until July 15, 2024.

You can read the press release here, the project page here, and the guide here.