CISA
Critical infrastructure
Industrial Cyber Attacks
Malware, Phishing & Ransomware
News
Technology & Solutions
Threat Landscape
Utilities: Energy & Power, Water, Waste

US agencies publish joint incident response guide to boost cybersecurity in WWS sector

January 19, 2024
US agencies publish joint incident response guide to boost cybersecurity in WWS sector

The U.S. CISA (Cybersecurity and Infrastructure Security Agency), the Federal Bureau of Investigation (FBI), and the Environmental Protection Agency (EPA) released Thursday a joint Incident Response Guide for the Water and Wastewater Systems (WWS) sector. The guide includes contributions from over 25 organizations from the WWS sector, including private industry, nonprofit, and government entities. The collective effort has empowered CISA, FBI, and EPA to create a guide that holds significant value for WWS sector organizations.

The incident response guide will provide WWS sector owners and operators with comprehensive information on the federal roles, resources, and responsibilities involved in each stage of the cyber incident response (IR) lifecycle. It enables WWS sector utilities to enhance their existing IR plans and procedures. Developed by CISA, FBI, EPA, federal government, and WWS sector partners, the primary goal of this guide is to promote cyber resilience and improve incident response within the WWS sector.

The document advises WWS utilities on both the suitability and means of collaboration with specific federal entities for each lifecycle stage. Utilities can use the Incident Response Guide to augment their IR planning and collaborate with federal partners and the WWS before, during, and following a cyber incident.

Malicious cyber adversaries have varying goals and capabilities, resulting in various threat activities. In targeting the U.S. WWS critical infrastructure, malicious cyber hackers conduct activities in alignment with their overarching goals, which may be financially and/or politically motivated. Cyber threat hackers frequently use ransomware against WWS utilities. 

“On internet-facing operational technology (OT) networks, ransomware can quickly propagate to affect operations. For example, in July 2021, criminal cyber actors used the ransomware ZuCaNo, via remote access, to compromise a supervisory control and data acquisition (SCADA) computer on the OT network of a Maine-based WWS utility,” the Incident Response Guide detailed. “This incident caused the utility to revert to manual control of critical processes.” 

Additionally, in August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS utility. The ransomware variant resided in the system for about a month before discovery when three SCADA servers displayed a ransomware message. Nation-state cyber actors also have demonstrated an intent to target U.S. WWS utilities. 

According to a joint cybersecurity advisory released by the U.S. security agencies late last year, the cyber hacker group ‘CyberAv3ngers,’ which is affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC), targeted and compromised Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) used at U.S. WWS utilities. The cyber hackers likely accessed the affected device by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet.

For the guide, WWS utilities can narrow their focus to federal partners with direct cybersecurity equity in the WWS, including CISA, EPA, FBI, the Office of the Director of National Intelligence (ODNI), and the DHS Office of Intelligence and Analysis (I&A). 

CISA is the operational lead for federal cybersecurity, the national coordinator for critical infrastructure security and resilience, and serves as the lead federal agency for asset response. CISA works closely with the EPA, which is the WWS’ sector risk management agency; the FBI, which is the federal lead for threat response, counterterrorism, and counterintelligence, and federal law enforcement; ODNI, which is the intelligence lead for threat awareness and analysis; and the DHS I&A, which is the lead for delivering intelligence to state, local, tribal, and territorial (SLTT) and private sector partners. Each of these federal entities performs distinct and critical roles in securing the WWS, leveraging their respective authorities and executive policy.

Utilities should keep in mind that specific information they can provide to federal partners about a cyber incident could be invaluable. Bi-directional information sharing drives the collective federal response and supports the provision of critical support to affected entities. In incidents involving more than one entity, bi-directional information sharing can enable the federal government to build and share a complete picture.

The incident response guide also directs utilities through the IR lifecycle, identifies ways to interface with the federal-level response, and highlights key measures to better posture and prepare for collaboration with federal partners. The four IR lifecycle phases, as defined by NIST SP 800-61, are preparation, detection and analysis, containment, eradication and recovery, and post-incident activities.

As the national coordinator for critical infrastructure security and resilience, CISA participates in the federal review and triage of reported sector incidents, conducting collective analysis to determine the incident’s size and scope. CISA coordinates with federal partners to discover the full impact and any cascading or cross-cutting impacts across other critical infrastructure sectors. 

As appropriate, CISA engages relevant external partners to gather additional information, evaluate the severity of the incident(s), and build common situational awareness. Collective evaluation of a cyber incident has two purposes. First, it prompts information sharing that will either inform mitigation or remediation activities. Second, it helps partners determine if collective action is warranted. 

Responding to the release of the incident response guide, Brad LaPorte, Gartner veteran and advisor for Tidal Cyber, wrote in an emailed statement to Industrial Cyber that the guide offers resources and instructions for building an organizational-level incident response plan, raising the cybersecurity baseline, and fostering a community focused on WWS sector cybersecurity. “Additionally, it discusses the roles and resources available from federal entities like CISA, FBI, and EPA throughout the cyber incident lifecycle, ensuring that WWS utilities can effectively collaborate with these agencies during a cyber incident.”

 In summary, he added that the document stresses that continuous improvement in cybersecurity is critical for the WWS sector to keep ahead of threats. “By mapping defenses to specific attack vectors, employing adversary countermeasures, evicting malicious actors, and embracing a Continuous Threat Informed Defense model, WWS utilities can strengthen their resilience against cyber attacks and minimize the risk to their operations and the broader community they serve.”

In September, the CISA, developed in coordination with the EPA, Water Sector Coordinating Council (WSCC), and the Association of State Drinking Water Administrators (ASDWA), a free cyber vulnerability scanning for water utilities fact sheet. The document explains the process and benefits of signing up for CISA’s free vulnerability scanning program, intending to share the benefits and steps to enrolling in the vulnerability scanning service.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation