The Cybersecurity & Infrastructure Security Agency recently released the attached summary outlining findings from its Cyber Hygiene (CyHy) vulnerability scanning and cybersecurity assessments services. Identified trends are based on information collected from 44 water and wastewater services (WWS) entities in fiscal year 2021.

The agency found that:

• 34.7% of scanned WWS sector entities used a potentially exposed risky service, such as remote desktop protocol, on internet-accessible hosts, which can provide initial access and communication channels for command and control, and data exfiltration.
• 16.3% of the scanned WWS sector entities ran unsupported Windows operating systems on at least one internet-accessible host by the end of fiscal year 2021.
• From October 2020 to September 2021, newly enrolled WWS sector entities in CyHy vulnerability scanning reduced their active vulnerabilities by an average of 37.5% within the first three months.
• By the end of fiscal year 2021, all identified known exploited vulnerabilities were remediated, likely decreasing risk of compromise of some WWS entities.

In addition to identifying vulnerabilities, the report provides a number of recommendations to reduce risks, including:

• Prioritize remediation of vulnerabilities using a risk-based approach that considers likelihood of attack, ease of exploitation and the magnitude of probable impact.
• Securely configure internet-accessible ports and services on systems and devices by implementing strong identity and access management controls, including strong passwords, multifactor authentication and the principle of least privilege.
• Update legacy software and operating systems to supported versions in a timely manner and within organizational constraints.
• Segment control system networks and remote devices from organizational network.
• Use the Secure Shell Protocol for remote access and virtual private network.

Those with feedback regarding this product may fill out the CISA Product Survey.