Water and Wastewater Sector Advisory Alert

Michigan Department of Environment, Great Lakes, and Energy sent this bulletin at 12/18/2024 07:45 AM EST

Share or view as a webpage I Update preferences

Water and Wastewater Sector
Advisory Alert

The Michigan Cyber Command Center (MC3) is responsible for the coordination of combined efforts of cyber emergency response during critical cyber incidents in Michigan. Emphasis is placed upon prevention, response, and recovery from cyber incidents.

MC3 works collaboratively with the Michigan Department of Environment, Great Lakes, and Energy (EGLE), the Cybersecurity and Infrastructure Agency (CISA), Federal Bureau of Investigation (FBI), and the U.S. Environmental Protection Agency (EPA) to provide an overview of the cyber threats facing the water sector (drinking water, wastewater, industrial storm water) and additional resources that you can use to learn more about cybersecurity best practices and reducing the risk of cybersecurity threats. EGLE recommends that water sector utilities contact the MC3 to initiate criminal investigative assistance and response as soon as a critical cyber incident is identified.

Michigan Cyber Command Center
MC3@Michigan.gov
877-MI-Cyber (877-642-9237)

Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems

The Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA) often identify internet-exposed Human Machine Interfaces (HMIs) at water and wastewater systems via web-based search platforms. In the absence of cybersecurity controls, unauthorized remote users can exploit HMIs to view the contents of the device and make unauthorized changes to potentially disrupt the facility’s water and/or wastewater treatment process. EPA and CISA are releasing this fact sheet to provide water and wastewater utilities with recommendations for limiting the exposure of HMIs on the internet and securing them against malicious cyber activity.

View the Fact Sheet Here

Resources

Understand and Evaluate your Exposure to the Public Internet: CISA Cyber Hygiene Scanning service provides weekly vulnerability reports of your public facing network assets. This gives you the information that an adversary would see when scanning the internet for targets. https://www.cisa.gov/cyber-hygiene-services
Cybersecurity Training for the Water Sector – Upcoming and Recorded trainings specific to the water sector. Check out the 30 minute YouTube video posted in the middle of this page: https://www.epa.gov/waterresilience/cybersecurity-training
Cybersecurity Assessments – if you would like to have an in-person, no-cost confidential cybersecurity assessment of your facility conducted by CISA and MC3, contact your EGLE district engineer.
Top Cyber Actions for Securing Water Systems
Cybersecurity for the Water Sector (Michigan.gov)

State and Local Cybersecurity Grant Program

The application period for Fiscal Year (FY) 2023 State and Local Cybersecurity Grant Program (SLCGP) funding is now open. The application can be accessed on the Michigan.gov SLCGP website FY 2023 Application For SLCGP Funding or here - FY 2023 SLCGP Application. If you are interested in submitting for a subgrant award, we encourage you to review the guidance documentation prior to submitting your actual application.

*The application cannot be saved and finished later. It is highly recommended that you complete your answers on a separate document first, then transfer those answers to the final application. *

The application guidance document can be found here - FY23 Application Guide

The FY23 application period is open Oct. 1, 2024, thru Dec. 30, 2024.

The deadline to submit your application is Dec. 30, 2024, at 11:59 p.m.

Michigan’s State and Local Cybersecurity Grant program manager is available to assist with this application process. Questions can be sent to DTMB-CIP-SLCGP@Michigan.gov or to Michelle McClish McClishM@Michigan.gov.

About the SLCGP The goal of the State and Local Cybersecurity Grant Program (SLCGP) is to help states, local governments, rural areas, and territories address cybersecurity risks and threats to information systems. The program enables the Department of Homeland Security (DHS) to make targeted cybersecurity investments in state, local, and territorial government agencies, thus improving the security of critical infrastructure and resilience of the services that state, local, and territorial governments provide to their communities.

How can the FY 2023 funding be used?

The SLCGP Advisory Board has developed eight programs to distribute the funds. Applicants are eligible to apply for all programs but are not guaranteed to be funded. Separate applications must be completed for each project area you are requesting funding:

Endpoint Detection & Response (EDR) Managed Detection & Response (MDR) Extended Detection Response (XDR) or Advanced Endpoint Protection: Where jurisdictions can receive funding to purchase subscriptions for EDR/MDR/XDR licensing vendor selected utilizing entities established procurement policies and within grant performance and spend period time frames.
Cybersecurity Assessments: Where jurisdictions can receive funding to purchase an independent cybersecurity assessment OR penetration testing for the organization utilizing existing MiDEAL negotiated contractors or another contracted vendor following the organization’s established procurement policies and within grant performance and spend period time frames.
Multifactor Authentication (MFA): Supports Required Element #5 – where jurisdictions can receive funding to purchase authentication devices, MFA software, or other systems/hardware supporting MFA, such as identity and access management (IAM) systems.
Advanced Backup Solutions: Where jurisdictions can receive funding to purchase backup software, cloud services, backup servers, storage devices, or other services that support recovery and reconstitution of entity backup data.
Migration to .gov Domain: Where jurisdictions can receive funding to pay for services that support the migration of the organization’s domain to a .gov internet domain. Managed service provider (MSP) services to pay support vendors to perform migration tasks to a .gov domain.
MSP Costs: Where jurisdictions can receive funding to pay MSPs for cybersecurity services that mitigate risk, improve cyber resiliency, and perform cybersecurity work where an organization does not have onsite staff to support.
Cybersecurity Awareness Training: Where jurisdictions can receive funding to purchase subscriptions for cybersecurity awareness training for employees to better understand cyber threats, best practices, incident response, compliance, and policies. KnowBe4, Proofpoint, SANS Institute, and Infosec IQ are examples of vendors providing security awareness training.
Cybersecurity Professional Training for IT/Security Staff: Where jurisdictions can receive funding to purchase professional cybersecurity training for those responsible for mitigation risk and maintaining resiliency in the organization’s environment. Example trainings include CompTIA, CySA+, PenTest+ Certification Training, SANS Institute Enterprise Cloud Security Architecture, Certified Ethical Hacker (CEH), and other security training and certifications that will increase the skills and knowledge of systems and security IT administration teams.

To request this material in an alternative format, contact EGLE-Accessibility@Michigan.gov or call 800-662-9278.

EGLE does not discriminate on the basis of race, sex, religion, age, national origin, color, marital status, disability, political beliefs, height, weight, genetic information, or sexual orientation in the administration of any of its programs or activities, and prohibits intimidation and retaliation, as required by applicable laws and regulations.

If you wish to no longer receive emails from us,
please update your preferences here:
Manage Preferences | Help

Need further assistance?
Contact Us | Provide Feedback