US warns water, wastewater sectors of ransomware attacks

wastewater

U.S. agencies issued on Thursday a joint Cybersecurity Advisory (CSA) that details ongoing cyber threats to the U.S. Water and Wastewater Systems (WWS) sector. The activity identified includes cyber intrusions leading to ransomware attacks, which threatens the ability of WWS facilities to provide clean and potable water, and effectively manage the wastewater of their communities. These threats come from both known and unknown hackers targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. WWS sector facilities.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) provided in the joint CSA advisory extensive mitigations and resources to assist WWS sector facilities in strengthening operational resilience and cybersecurity practices.

Cybercriminals have been observed targeting desktop sharing applications, which despite having legitimate uses, can also be exploited through malicious hackers’ use of social engineering tactics and other illicit measures. Computer networks running operating systems with end-of-life status also pose significant risks that malicious attackers will gain unauthorized access to systems.

The WWS sector has faced various cyber intrusions from 2019 to early 2021, with the most recent one in August, where malicious cyber attackers used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message. Before that, in July 2021, cyber hackers used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer.

In February, hackers gained unauthorized remote access to a water treatment plant’s computer system in Oldsmar, Florida, and attempted to increase the sodium hydroxide in the drinking water to potentially dangerous levels. This incident got a lot of attention.

In March, cyber attackers used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim’s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS). Personnel at a New Jersey-based WWS facility discovered last September potential Makop ransomware had compromised files within their system, while in March 2019, a Kansas-based WWS facility experienced a cybersecurity breach that threatened drinking water safety by what was discovered to be a former employee who utilized their user credentials to access the system.

WWS facilities may be vulnerable to common tactics, techniques, and procedures (TTPs) used by threat hackers to compromise IT and OT networks, systems, and devices, the joint CSA advisory said. Some of the strategies adopted include spearphishing personnel to deliver malicious payloads, including ransomware, exploitation of unsupported or outdated operating systems and software, or manipulation of control system devices with vulnerable firmware versions.

Spearphishing is one of the most prevalent techniques used for initial access to IT networks. Personnel and their potential lack of cyber awareness are a vulnerability within an organization, the joint CSA advisory said. Personnel may open malicious attachments or links to execute malicious payloads contained in emails from threat attackers that have successfully bypassed email filtering controls. When organizations integrate IT with OT systems, attackers can gain access, either purposefully or inadvertently, to OT assets after the IT network has been compromised through spearphishing and other techniques.

According to the joint CSA advisory, hackers are likely to seek to take advantage of perceived weaknesses among organizations that either do not have or chooses not to prioritize resources for IT/OT infrastructure modernization. WWS facilities tend to allocate resources to physical infrastructure in need of replacement or repair such as pipes rather than IT/OT infrastructure. The fact that WWS facilities are inconsistently resourced municipal systems, not all of which have the resources to employ consistently high cybersecurity standards, may contribute to the use of unsupported or outdated operating systems and software.

WWS systems commonly use outdated control system devices or firmware versions, which expose WWS networks to publicly accessible and remotely executable vulnerabilities. Successful compromise of these devices may lead to loss of system control, denial of service, or loss of sensitive data.

The U.S. EPA had previously alerted about many critical infrastructure facilities having experienced cybersecurity incidents that led to the disruption of a business process or critical operation and released a brief that provides information to help state primacy agencies start a conversation with water systems about cybersecurity threats.

“Protecting against every cyberthreat a plant may encounter may seem like a steep hill for a water and wastewater utility to climb, but it doesn’t need to be. Designing or rehabilitating operations with cybersecurity in mind will go a long way toward delivering a safe and reliable water supply,” Carmen Garibi and Jake White, executives at 1898 & Co., a part of Burns & McDonnell, wrote in a white paper. “While fending off a wide range of potential intrusions, cybersecurity solutions can also help utilities achieve goals for effective and secure connectivity, process optimization and system integration. Utility customers will likely welcome news of these protections as well.”

The joint CSA advisory contains recommended mitigations, including immediate actions water and wastewater utilities can take now to protect against malicious cyber activity. Most importantly, it is recommended that water and wastewater facilities use a risk-informed analysis to determine the applicability of a range of technical and nontechnical mitigations to detect, respond to, and reduce the risk from cyber threats.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related