The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released a joint cyber advisory Oct. 14 warning of an ongoing cyber threat to U.S. Water and Wastewater Systems (WWS) facilities and gave the WWS sector recommended mitigations.
CISA released the advisory in conjunction with the FBI, Environmental Protection Agency (EPA), and National Security Agency (NSA) and warned of ongoing malicious cyber activities by “both known and unknown actors” focusing on WWS information technology (IT) and operational technology (OT).
“This activity – which includes attempts to compromise system integrity via unauthorized access – threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities,” the advisory warns.”
Cybersecurity advocates have been ringing the bell on the cybersecurity of WWS facilities for a while, and a few bills working their way through Congress are looking to address the issue in one way or another. The advisory lists out five cyber intrusions on WWS facilities between 2019 and early 2021; three intrusions took place between March and August 2021.
The advisory notes that cyber intrusions targeting WWS facilities primarily use tactics targeting ransomware and insider threat vulnerabilities. The latter includes exploiting vulnerabilities that relate to current or former employees with improperly activated credentials.
CISA warns that WWS facilities may be vulnerable to threat actors looking to exploit unsupported operating systems or software, exploit control system devices with vulnerable firmware versions, or spearphishing campaigns on employees to implant malicious payloads or ransomware.
“The FBI, CISA, EPA, and NSA recommend WWS facilities – including DoD water treatment facilities in the United States and abroad – use a risk-informed analysis to determine the applicability of a range of technical and non-technical mitigations to prevent, detect, and respond to cyber threats,” the advisory recommends.
The agencies recommend various WWS Monitoring, remote access, network, safety system, planning, and operational mitigations. Additional mitigations included:
- Fostering a culture of cyber readiness.
- Employing user account management.
- Updating software.
- Regularly backing up data.