US Agencies to Water Facilities: You May Be Next TargetFBI, CISA, EPA & NSA Advisory Says Threats to Critical Infrastructure Rising
Several top U.S. federal agencies on Thursday issued a joint advisory around potential cyber threats to the nation's water facilities. In it, officials cite "ongoing malicious cyber activity - by both known and unknown actors - targeting the information technology and operational technology networks, systems and devices" of U.S. water and wastewater systems.
Thursday's advisory - authored by the FBI, Cybersecurity and Infrastructure Security Agency, Environmental Protection Agency and the National Security Agency - details "attempts to compromise system integrity via unauthorized access." Cyberattacks, they warn, could threaten the ability to provide clean, potable water to communities and effectively manage wastewater.
Officials say that while cyber threats against water and wastewater systems are not rising, those targeting critical infrastructure are increasing. The advisory reads: "To secure [water] facilities - including Department of Defense water treatment facilities in the U.S. and abroad against tactics, techniques and procedures, [the agencies] strongly urge organizations to implement … recommended mitigations" (see: CISA Must Update Critical Infrastructure Protection Plans).
In a statement shared with Information Security Media Group, Eric Goldstein, executive assistant director of CISA's Cybersecurity Division, says, "Recent ransomware incidents and ongoing threats demonstrate why all critical infrastructure owners and operators should make cybersecurity a top priority. … The criticality of water and wastewater infrastructure and recent intrusions impacting the sector reflect the need for continued focus and investment."
Goldstein adds, "The battle against ransomware doesn't start the day a cyber incident occurs. It begins long before that with the proactive measures detailed in this joint advisory and at StopRansomware.gov, that every owner and operator must take to address security gaps and protect the communities they serve."
Bill Lawrence, a former cybersecurity instructor at the U.S. Naval Academy and currently CISO with the firm SecurityGate, notes, "Adversaries are looking to use spear phishing and exploits against unpatched software or outdated firmware to execute these attacks. From a people, processes, and technology viewpoint, user training should [be] the number one recommendation so as to recognize phishing attempts, thwart ransomware, or respond rapidly if it takes hold."
Commenting on the guidance, Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance, notes, "We have seen over the last year that hackers will look to tamper with anything that could have far-reaching impacts. … So, seeing this joint agency guidance is not unexpected, given how integral critical infrastructure is to both the public and private sector today."
In it, officials say that water facilities may be susceptible to: spear phishing emails to personnel to deliver malicious payloads, including ransomware - as phishing remains one of the most prevalent techniques for initial access; and the exploitation of internet-connected services and applications enabling remote access.
On the latter, officials say: "The increased use of remote operations due to the COVID-19 pandemic has likely increased the prevalence of weaknesses associated with remote access."
The document says that cybercriminals may also exploit unsupported or outdated operating systems and software: "WWS facilities tend to allocate resources to physical infrastructure in need of replacement or repair rather than IT/OT infrastructure."
Other entry methods include: the exploitation of devices with vulnerable firmware - which can lead to loss of system control, denial of service, or loss of sensitive data.
The advisory outlines several examples of cyber intrusions between 2019 and mid-2021, which include:
- Malicious cyber actors using Ghost variant ransomware against a California-based facility in August 2021;
- Cyber actors using remote access to introduce ZuCaNo ransomware onto a Maine-based facility's wastewater computer in July 2021;
- Threat actors using an unknown ransomware variant against a Nevada-based facility in March 2021, infecting the victim's supervisory control and data acquisition, or SCADA, system and backups - this system provides visibility and monitoring functions;
- A potential strain of Makop ransomware detected at a New Jersey-based facility in September 2020;
- And, in March 2019, a former employee at a Kansas-based facility unsuccessfully attempted to threaten drinking water by using credentials that had not been revoked to remotely access a facility computer, officials say.
The agency coalition recommends a series of steps to mitigate cyber risks, including:
- Analyze the applicability of technical and non-technical mitigations;
- Check for: inability to access SCADA system controls, unfamiliar alerts, unusually high chemical addition rates, unauthorized or unusual access, and unexplained system restarts;
- Asset owner-operators should: require multifactor authentication for all remote OT access; utilize blocklisting and allowlisting to limit remote access; enable logging and audit regularly; reduce remote-access service time; and close unneeded network ports;
- Network mitigations may include: segmentation between IT and OT networks to limit the ability for cyber actors to pivot to OT from the IT network; technical controls to prevent unregulated communication between the IT and OT networks; and, ensure full accounting of network equipment;
- Also: ensure a robust emergency response plan is in place - and review, test and update the plan; and gauge ability to pivot to manual operation;
- Additionally, facilities should: install independent cyber-physical safety systems - including gearing on valves, pressure switches, etc.;
- Lastly, operators should: consider a centralized patch management system; implement data backup procedures, and account lockout policies to combat brute-force attacks.
On the importance of these steps, Ross Rustici, a former technical lead for the U.S. Department of Defense, says, "The fact that these critical systems are continually and successfully targeted by ransomware operators underscores the need for greater investment in basic security controls."
And Rustici, currently the managing director of the advisory firm StoneTurn, suggests "targeting of these utilities is only going to increase over time" due to real-world impacts pressuring victims to pay ransoms. "Unlike data that can be easily restored from backups," he adds, "operational technology often needs to be rebuilt if it cannot be decrypted."