Modern wastewater treatment plant, aerial view at the evening sunset showing cybersecurity advisory on cyber threats on water facilities

FBI, NSA, CISA and EPA Issued Joint Cybersecurity Advisory on Cyber Threats Targeting Water Facilities

A joint cybersecurity advisory by a coalition of federal agencies warns of “ongoing malicious cyber activity” by known and unknown threat actors on U.S. Water and Wastewater Systems (WWS) Sector facilities.

Issued by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Environmental Protection Agency (EPA), the advisory says hackers attempted to “compromise system integrity via unauthorized access.”

These attacks threatened the government’s ability to provide clean and portable drinking water and manage wastewater, according to the joint cybersecurity advisory.

However, the joint advisory clarified that it did not suggest that cyber threats against water facilities were increasing, although that was the case for critical infrastructure.

Common cyber threats facing water facilities

The cybersecurity advisory noted that known and unknown attackers targeted WWS operational technology (OT) networks, systems, and devices.

It also listed common tactics, techniques, and procedures (TTPs) used by threat actors to target water and wastewater treatment facilities.

They include spear phishing campaigns targeting employees with malicious payloads, including ransomware, through malicious links and attachments.

Threat actors also targeted unsupported or outdated operating systems and software to compromise the water facilities, the joint cybersecurity advisory noted.

Additionally, vulnerable firmware on control system devices on water systems exposed water facilities to remote cyber threats.

List of cyberattacks targeting water facilities

The cybersecurity advisory also listed several attacks, including a California-based WWS facility incident involving a Ghost malware variant in August 2021.

Similarly, a Maine-based wastewater WWS facility SCADA computer suffered a ZuCaNo ransomware attack in July 2021.

In March 2021, a Nevada-based WWS facility also suffered a ransomware attack, affecting the SCADA and backup systems.

According to the joint cybersecurity advisory, Makop ransomware also struck a New Jersey-based WWS facility in September 2020, compromising computer systems within the facility.

A former employee at a Kansas-based WWS facility also attempted to endanger drinking water safety using unrevoked access into the water facility.

Another hacker attempted to poison the water supply in Oldsmar, Florida, by increasing sodium hydroxide from 100 to 11,100 parts. Pinellas County Sheriff Bob Gualtieri said the hacker gained access by compromising the operating system at the city’s main water treatment facility.

“It is heartening to see the FBI, CISA, EPA, and the NSA working together with the Water ISAC and Dragos to put this alert together,” said Bill Lawrence, CISO at SecurityGate. “Adversaries are looking to use spearphishing (targeted phishing) and exploits against unpatched software or outdated firmware to execute these attacks.”

Lawrence lauded the Department of State’s Rewards for Justice (RFJ) program offering a $10 million reward for reporting foreign cyber threats against U.S. critical infrastructure. He noted that the strategy was more effective than penalizing the victims of ransomware attacks.

Joint cybersecurity advisory guidelines on protecting water facilities

The cybersecurity advisory recommended protecting water facilities against cyber threats, including ransomware attacks.

The agencies advised cybersecurity personnel to check for suspicious activity and indicators of compromise.

These include permanent or temporary denial of access to SCADA system controls, unfamiliar data or windows alerts, abnormal operating parameters such as unusually high chemical rates, access to SCADA systems by unauthorized or unassigned individuals.

Similarly, system access by authorized employees at unusual times of the day could indicate that their security credentials have been compromised.

Unexplained restarts and fluctuations of SCADA system parameters also indicate cyber threats by malicious actors targeting water facilities.

Eric Goldstein, executive assistant director for cybersecurity at CISA said that current cyber threats underscored the need to make cybersecurity a top priority for critical infrastructure operators.

“While vulnerabilities within the water sector are comparable to vulnerabilities observed across many other sectors, the criticality of water and wastewater infrastructure and recent intrusions impacting the sector reflect the need for continued focus and investment,” Goldstein continued.

However, Lawrence noted that the multi-agency cybersecurity advisory failed to stress the need for staff training in fighting cyber threats targeting water facilities.

“From a people, processes, and technology viewpoint, user training should have been the number one recommendation so as to recognize phishing attempts, thwart ransomware, or respond rapidly if it takes hold, rather than the last bullet in the ‘additional mitigations’ strategy and buried near the end,” Lawrence concluded.