CISA outlines cyberthreats targeting US water and wastewater systems

In a new advisory, CISA has warned US water and wastewater system operators about an array of cyberthreats aimed at disrupting their operations. Cybersecurity company Dragos worked with CISA, the FBI, the NSA and the EPA to outline cyberthreats targeting the information and operational technology underpinning the networks, systems and devices of US water and wastewater facilities.

The warning also outlines a series of attacks that have happened this year, some of which were never reported previously. 

CISA noted that the advisory was not an indication of the potential for increased attacks targeting this particular sector but was simply an effort to help water facility operators protect their systems. 

The notice lists spearphishing as one of the most prevalent methods used by cybercriminals and nation-states to gain access to water systems, explaining that it is often deployed to deliver malicious payloads, including ransomware. CISA added that because IT and OT systems are often integrated together, access to one gives attackers access to the other. 

CISA also mentioned exploitation of internet-connected services like RDPs as another tool used to attack water systems. With COVID-19, many water system operators use RDPs and other tools to access the systems remotely, leaving them vulnerable to outdated operating systems or software. 

“WWS facilities tend to allocate resources to physical infrastructure in need of replacement or repair (e.g., pipes) rather than IT/OT infrastructure. The fact that WWS facilities are inconsistently resourced municipal systems — not all of which have the resources to employ consistently high cybersecurity standards — may contribute to the use of unsupported or outdated operating systems and software,” CISA explained. 

“WWS systems commonly use outdated control system devices or firmware versions, which expose WWS networks to publicly accessible and remotely executable vulnerabilities. Successful compromise of these devices may lead to loss of system control, denial of service, or loss of sensitive data.”

The notice lists several recent attacks since 2019, including one in August 2021 that involved the Ghost ransomware being deployed against a facility in California. Attackers spent a month inside the system before putting up a ransomware message on three supervisory control and data acquisition servers. 

An attack in July saw the ZuCaNo ransomware used to damage a wastewater facility in Maine and in March, a Nevada water treatment plant was hit with an unknown ransomware variant. 

In September 2020, the Makop ransomware hit a New Jersey facility and another attack in March 2019 involved an attempt to threaten the drinking water of a town in Kansas. 

CISA lists a number of things operators should look out for, including the inability to access certain SCADA system controls, unfamiliar data windows or system alerts, abnormal operating parameters and more. 

They urged water facilities to put increased security controls around RDPs and implement “robust” network segmentation between IT and OT networks. 

All facilities should have an emergency response plan and consider a wide range of impacts that a cyberattack may have on how systems function. CISA noted that there should also be systems in place that physically stop certain dangerous conditions from occurring even if a system is taken over. 

Neil Jones, cybersecurity evangelist for Egnyte, told ZDNet that the recent attacks on water treatment plants in the Bay Area, Florida, and Pennsylvania, should be a wake up call that the country’s critical food, utility and energy infrastructure are under direct threat from cyberattacks. 

Jones said recent reports indicate that 1 in 10 waste or wastewater plants has a critical security vulnerability. 

Bjorn Townsend, a water infrastructure incident responder for cybersecurity company Critical Insight, said alerts like this “indicate that they have specific intelligence that threat actors are attempting to tamper with our water systems on an ongoing basis, and they’re trying to alert water system operators to that fact.” 

“Municipal IT personnel should pass the guidance in the ‘WWS Monitoring’ section on to the plant engineers who work with the utility’s SCADA systems even if they aren’t specifically trained in IT, and give guidance on how to alert IT and/or cybersecurity staff to respond to the potential threat,” Townsend said. 

“The alert lists mitigations for the very issues I have seen firsthand while performing cyber and physical risk assessments of municipal water systems here in Washington State under the America’s Water Infrastructure Act of 2018. Most of the water systems I have personally inspected do not have the majority of the mitigations listed in place, particularly in terms of remote access controls, system upgrades, access reviews, or monitoring and logging of activity.”

Water systems, he added, often have to deal with a lack of resources, both in terms of management, monitoring technologies and even a lack of investment in regular software and hardware upgrades for the industrial controls networks in those systems. 

The other issue is a lack of cooperation between water system operators and municipal IT staff, Townsend explained. 

“In a municipal water system, I often see a situation where IT administrators — who are nominally responsible for the computers within the drinking water system — are at odds with water system operators, because water system operators are trained to make minimal changes to a system over time,” he said. 

“That ‘minimal change’ approach is completely at odds with the recommended 30-day patching cycle for Microsoft Windows, let alone upgrading the software on the PLCs themselves. As a result, this alert shows that we need to both dramatically improve resourcing for IT and cybersecurity in the water sector and break down the stovepipe between municipal IT staff and the operators of their municipal water system by encouraging water system operators to follow IT software and hardware update policies.”  

More than anything, Townsend said the lack of funding is often the greatest problem operators face because many organizations are bound simply by the number of people they have available to perform these otherwise very routine tasks. The staff they have are usually close to the minimum number required to respond to help desk and support requests, Townsend noted.