To better secure the U.S. water and wastewater systems (WWS), the FBI, CISA, EPA, and NSA released a joint advisory reporting on various ransomware attacks and highlighting best practices to mitigate possible vulnerabilities in both information technology (IT) and operational technology (OT) networks, systems, and devices.
The advisory listed several attacks from 2019 to 2021 on WWS facilities across the country. The most recent attack in August consisted of a Ghost ransomware deployment against a facility in California. Infiltrators had been in the system for a month and were only discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message. Listed on the advisory were also the common tactics, techniques, and procedures (TTPs) used by threat actors to compromise systems, such as spearphishing, exploitation of outdated operating systems and software, and exploitation of system devices with vulnerable firmware.
While the advisory did not indicate a greater threat to the WWS sector, it does urge organizations to implement proper mitigating procedures and security measures. According to the report, attempts to compromise the integrity of these systems could cause significant disruptions, such as not being able to provide clean water and not properly managing wastewater. The advisory also brought to light the need to allocate resources for better security in IT and OT systems.
To mitigate risk, WWS facilities should use risk-informed analysis to prevent, detect, and respond to cyber threats. The responsible WWS personnel should look for any indicators of compromise, along with any abnormal operating parameters, such as unusually high chemical addition rates used in the treatment of drinking water. Additional indicators could include unfamiliar alerts appearing on SCADA system controls and facility data screens, which could indicate a ransomware attack.
In accordance with the advisory, recommended actions that the WWS facilities should take to protect against cyber-attacks include:
- Do not click on suspicious links.
- If you use RDP, secure and monitor it.
- Use strong passwords.
- Use multi-factor authentication.