In light of recent cyberattacks targeting critical infrastructure, water utilities across the nation are facing a heightened urgency to bolster their cybersecurity defenses. One way to bolster your utility’s defenses against cyber threats is by taking advantage of the Cybersecurity and Infrastructure Security Agency’s free cyber vulnerability scanning service.

CISA can help your drinking water and wastewater system identify and address vulnerabilities with a no-cost vulnerability scanning service subscription. CISA, the Water Sector Coordinating Council, and the Association of State Drinking Water Administrators encourage drinking water and wastewater utilities to use this service.

Benefits

CISA’s vulnerability scanning can help your utility identify and address cybersecurity weaknesses that an attacker could use to impact your system. The benefits of this service include:

• Identifying internet-accessible assets;
• Identifying vulnerabilities in your utility’s assets connected to the internet, including known exploited vulnerabilities and internet-exposed services commonly used for initial access by threat actors and some ransomware gangs;
• Weekly reports on scanning status and recommendations for mitigating identified vulnerabilities;
• Significant reduction in identified vulnerabilities in the first few months of scanning for newly enrolled water utilities; and
• Ongoing detection and reporting with continuous scanning for new vulnerabilities

How does it work?

CISA uses automated tools to conduct vulnerability scanning on your external networks. These tools look for vulnerabilities and weak configurations that adversaries could use to conduct a cyberattack. CISA’s scanning provides an external, non-intrusive review of internet-accessible systems. The scanning does not reach your private network and cannot make any changes.

CISA will send you weekly reports with information on known vulnerabilities found on your internet-accessible assets, week-to-week comparisons and recommended mitigations.

How to get started

1. Email vulnerability@cisa.dhs.gov with the subject line “Requesting Vulnerability Scanning Services.” Include the name of your utility, a point of contact with an email address and the physical address of your utility’s headquarters.
2. CISA will reply with a service request form and vulnerability scanning acceptance letter to obtain the necessary information about your utility and your authorization to scan your public networks.
3. Scanning typically begins within 10 days of receiving all completed forms.