U.S. Joint Advisory Warns Water Sector of Ongoing Cyber Threats

Threat actors are consistently attempting to infiltrate U.S. water and wastewater sector (WWS) facilities, according to a joint advisory issued Thursday. 

“This activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities,” the advisory said.

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) issued the advisory with support from the Water Information Sharing and Analysis Center (ISAC) and Dragos. 

We were excited to contribute (along with our partners at @DragosInc) to this joint @FBI, @CISAgov, @EPA and @NSACyber advisory! Find the full document in our Resource Center: https://t.co/AtgIThuKzJ pic.twitter.com/sWBcuz7L4E

— WaterISAC (@WaterISAC) October 14, 2021

The advisory highlighted five cyber intrusions from 2019 to 2021 that targeted the WWS sector. The most recent occurred in August 2021 when cyber actors used Ghost variant ransomware against a California-based WWS facility.

“The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message,” according to the advisory.

Three of the other intrusions were also ransomware threats; the fifth incident involved a former employee using his credentials—which were not revoked when he resigned—to remotely access a computer and attempt to threaten drinking water safety at a Kansas-based WWS facility.

“Water and wastewater systems are chronically under-resourced and unable to defend against cyberattacks, a resource usually given very little thought when protecting critical infrastructure,” says Sergio Caltagirone, vice president of threat intelligence at Dragos. “Water systems are the vulnerable critical infrastructure that keeps me up at night. Dragos’ visibility and intelligence confirm CISA’s assessment that water and wastewater system intrusions continue posing a threat to us all.”

The advisory authors noted that WWS facilities are vulnerable to common tactics and techniques used by threat actors to compromise IT and Operational Technology (OT) networks, systems, and devices, such as spearphishing to introduce ransomware. Facilities that have integrated their OT and IT systems could be more vulnerable if a spearphishing attempt is successful.

“For example, threat actors can exploit a Remote Desktop Protocol (RDP) that is insecurely connected to the Internet to infect a network with ransomware,” the advisory said. “If the RDP is used for process control equipment, the attacker could also compromise WWS operations. Note: the increased use of remote operations due to the COVID-19 pandemic has likely increased the prevalence of weaknesses associated with remote access.”

In the August 2021 issue of Security Technology, Caltagirone wrote about how industrial control systems are becoming increasingly connected, creating business and operational opportunities alongside new risks. 

Organizations shifted in 2021, including creating an increasingly connected industrial environment. This trend has existed for many years, even while many organizations still believed they had highly segmented or even air-gapped ICS networks. https://t.co/qfiDH68rQQ

— Security Management (@SecMgmtMag) August 12, 2021

“Cyber risk to industrial sectors has grown and accelerated dramatically, led by ransomware impacting industrial processes, intrusions enabling information gathering and process information theft, and new activity from adversaries targeting ICS,” Caltagirone explained in the piece.

“In all the incident-response cases Dragos worked on, the attackers gained access to the victim’s ICS network via the Internet, and shared IT and OT credentials were used to move laterally in the network,” he wrote. “Dragos threat data shows the abuse of valid accounts and shared credentials are favorite methods employed by Threat Activity Groups.”

To mitigate against the threat, the advisory authors recommended a variety of actions for WWS facilities—including U.S. Department of Defense water treatment facilities in the United States and abroad. These include personnel monitoring for suspicious activities and indicators, in addition to network and system monitoring capabilities; remote access mitigations, such as requiring multi-factor authentication for all remote access to the OT network; and implementing “robust network segmentation between IT and OT networks to limit the ability of malicious cyber actors to pivot to the OT network after compromising the IT network.”

The advisory also suggested WWS facilities have emergency response plans that consider the potential impacts a cyberattack might pose—and practice those plans—as well as installing independent cyber-physical safety systems, the systems that physically prevent dangerous conditions from occurring if a control system is compromised.

“It’s critical that the worldwide community make the best risk-based policy and defensive decisions on industrial systems such as water—because our civilization and lives rely on them,” Caltagirone says. “The most important action water and wastewater systems operators can take in response to this advisory is to increase visibility and threat detection in their industrial environments because without visibility effective defense is near impossible.”