CISA Announces Free Vulnerability Scanning for Water Utilities…To What End?

Since its founding in 2018, the Cybersecurity and Infrastructure Security Agency (CISA) has been making great headway in helping organizations — both public and private — improve cybersecurity posture and attack resilience. CISA’s goal is to help organizations harden systems and processes against cyber threats while establishing a more proactive approach to cyber risk management. The agency consistently produces free information, tools, and services for organizations to co-opt, and holds informational sessions and training — again, mostly free of charge — to any entity that wants to increase skill and efficacy in the fight against cyber crime.

Only a few years in existence, and after a somewhat rocky start due to inappropriate political meddling, the agency has been highly prolific with its publications and guidance. One of the newer pieces coming from CISA is its offer to assist water sector companies with vulnerability identification. Per CISA’s data sheet about the new program, water utility companies can receive free external vulnerability scanning-as-a-service to “assess the health of [your] internet-accessible assets by checking for known vulnerabilities, weak configurations—or configuration errors—and suboptimal security practices.”

Any water utility that signs up for the free service will receive automated scans of their internet-exposed assets (as determined by decision makers at the utility) and weekly reporting. The reports will include a criticality rating for identified vulnerabilities and guidance for mitigating found vulnerabilities. Further, CISA will perform re-scans of the specified environment based on initial scanning results.

By any measure, vulnerability identification and quantification is a necessary part of risk management — which is why vulnerability scanning has been a foundational element of business’ cybersecurity programs for years. In the case of utility companies, which may not employ a plethora of cybersecurity experts and/or which may be grappling with IT/OT/digital transformation issues, any free service (provided by a reputable vendor or tool) that surfaces vulnerabilities is a positive step in closing control gaps that leave critical systems exposed to attack. Without an understanding of these exposures, no organization can expect to manage their networks and prevent or detect threats. Visibility is the first step, and that’s what CISA is offering.

An incomplete picture

Without a doubt, vulnerability assessments are one crucial step in achieving effective threat and risk management. But here’s where things get a little murky — for the CISA program and with vulnerability assessment tools in general: Vulnerability scanning, on its own, is an incomplete picture of an organization’s threat environment.  For one thing, scanning identifies only assets in scope and that are operational at the time of the scan. For the CISA program, the utility company (i.e., the “customer” or recipient of the scan) defines the scope of the scans, which requires an understanding of the network and the assets on it. Smaller, less-mature water utilities may not have that in-house expertise. So the starting point might be built on shaky ground.

Further, while the utility company can likely increase the scope of CISA’s scanning at any time, doing so still requires knowledge that a resource-strapped organization might not have. The CISA program (at least at this stage) does not provide guidance on how or where to increase scope.

Blind spots

Adding another layer of challenge: Scanning, by its very nature, isn’t continuous; it would consume too much compute power and likely result in system latency (perhaps on critical systems which could disrupt or disable them). Because of the intervallic nature of vulnerability scanning, “blackout periods,” during which threat actors could execute damage, may occur. Not to mention, unless multiple types of scanning are conducted (e.g., network, application, etc.), the utility won’t have a complete view of its vulnerabilities. CISA provides a timetable for scanning frequency, which is based on the criticality of found vulnerabilities. But a savvy cyber criminal could find ways around the schedule. Defenders aren't the only ones using scanning to determine efficacy, after all.

Alert fatigue

Speaking of identified vulnerabilities: even decently resourced security and IT teams at private organizations are used to the information overload and barrage of false positives that can result from activities like vulnerability scanning. The same might not be true of smaller, resource-strapped utility companies that may not even employ a full-time security professional. Triaging alerts, even if CISA is providing “detailed findings in consumable format to stakeholders,” could be crippling to an organization without a relatively mature security program established. 

Acting on the vulnerability mitigation recommendations supplied by CISA after the scans could be impossible for these organizations if they don’t have external help.

Lack of prioritization

If a water utility is able to effectively triage alerts, the next issue with which to contend is prioritization. While CISA provides plenty of guidance on vulnerability management and risk prioritization, including its Stakeholder-Specific Vulnerability Categorization (SSVC) methodology, every cyber remediation plan and process requires an individual assessment of the organization’s environment, risk tolerance, business goals, operational requirements, customer needs, technical capabilities, and so on. Again, for smaller, under-resourced utility companies and those without in-house security expertise, that decision process may be unattainable. 

And if the utility can’t prioritize remediation, all the scan data provided by CISA will go into a black hole; it will become a long list of items for someone to attend to, sometime in the future, when resources allow.   

All gloom and doom?

OK, OK — maybe this week, I am absorbing some of the gloom and doom that comes from working in the security industry for too long. And I don’t mean to be a Negative Nelly. In fact, I love what CISA is doing overall. As stated at the beginning of this article, CISA has done a lot of good things in a very short time, especially given the economic and political headwinds of the past few years. And, because of the state of most utility companies’ digital infrastructures, guidance and assistance must start at a foundational level. (I posit that every company needs to routinely revisit their security foundations to ensure the rest of the program isn’t built upon faulty footings. Most major breaches can be attributed to cracks in foundational controls. This is as true for private, mature, and well-resourced companies that aren’t contending with quite as much legacy infrastructure as water plants.)

Still, even though free scanning services for water companies is a step in the right direction, it’s just one step. More layers must be added as organizations start to see what they’re contending with. Information without action will leave these organizations exposed — and threat actors know it. 

Therefore, it’s my suggestion that water utilities (and anyone else reading about this service) take CISA’s vulnerability scanning guidance and approach as one piece of a very large puzzle. Putting it into a greater context, and bolstering it with complementary processes and techniques, is the only way to ward off more threats.