Current Cyber Threats to Water and Wastewater Systems in the United States
Table of Contents
- Joint Cybersecurity Advisory (CSA)
- Overview of potential Threat
- Cybersecurity Upskilling - Exercises in the Water Sector
- Cybersecurity Virtual Workshop
- Threats to WWS from Cyberspace
- Be Cyber Smart
CISA, the FBI, and the EPA collaborate closely during a cybersecurity incident to alert a targeted entity, evaluate the cyber incident's consequences, and provide recommendations to the targeted entity.
The EPA also contributes to an incident response by directing sector requests for assistance to CISA, confirming that these requests are being fulfilled, communicating alerts to the sector, and providing critical "steady-state" assistance through water sector-specific cybersecurity tools, exercises, and technical assistance.
A joint Cybersecurity Advisory has been issued by CSA outlining current cyber risks to the U.S. Water and Wastewater Sector. This behavior, which includes cyber breaches leading to ransomware attacks, endangers WWS facilities' capacity to deliver clean, drinkable water to their communities and properly manage their wastewater.
The joint CSA offers a wide range of mitigations and tools to help Water and Wastewater Sector establishments improve operational resilience and cybersecurity.
CISA has also produced a Cyber Risks & Resources for the WWS Sector infographic, which outlines the information technology and operational technology risks that the WWS Sector confronts and some resources.
- Spread Phishing Ransomware
- Internet-connected Application Exploitation
- Control system devices with vulnerable firmware versions are being exploited
Threat actors use the following tactics, methods, and procedures (TTP) to hack I.T. and O.T. networks, systems, and devices, and WWS facilities may be exposed to them.
One of the most used methods for gaining initial access to computer networks is Spread Phishing. Individuals and their apparent lack of cyber awareness are an organization's risk.
Employees may open harmful links or attachments in emails from threat actors who have gotten around email filtering mechanisms to execute malicious payloads.
When I.T. and O.T. systems are integrated, attackers can acquire access to O.T. assets, intentionally or inadvertently, after the I.T. network has been hacked using spread Phishing and other means.
Internet-connected services and applications enable remote access to WWS networks that allow exploitation of it.
Threat actors can inflict ransomware on a network insecurely connected to the Internet using a Remote Desktop Protocol (RDP).
The attacker could potentially compromise WWS operations if the RDP is utilized for process control equipment.
Note that the increased use of remote operations due to the COVID-19 pandemic has likely increased the prevalence of remote access flaws.
WWS networks are frequently exposed to publicly accessible and remotely executable vulnerabilities due to obsolete control system devices or firmware versions.
If these devices are successfully compromised, system control, denial of service, or sensitive data may be lost.
Image source – pinterest.com
The FBI, and other authorities like CISA, EPA, and NSA, advised WWS facilities (including DoD water treatment plants in United states and abroad) to conduct a risk-informed analysis for assessing the applicability of technological and non-technical mitigations for preventing, detecting, and responding to cyber threats.
Implement and maintain strong network partition between I.T. and O.T. networks to prevent dangerous cyber actors' ability to pivot to the O.T. network after compromising the I.T. network.
To decrease the attack surface, threat actors can exploit and remove any equipment from networks that are not essential to accomplish operations.
Create/update network maps to ensure a complete accounting of all network-connected equipment.
To prohibit uncontrolled connection between the I.T. and O.T. networks, use demilitarized zones (DMZs), firewalls, jump servers, and one-way communication diodes.
If electronic communications are disrupted, demonstrate the capacity to switch to other control systems, including manual operation.
Allow staff to practice decision-making through tabletop exercises that include scenarios including loss of vision and control. Use resources like the Cybersecurity Incident Action Checklist from the Environmental Protection Agency (EPA).
Self-contained safety systems, cyber-physical, can be installed. If a malicious attacker penetrates the control system, these systems physically prohibit harmful conditions from occurring.
Size of the chemical feed pump, gearing on valves, pressure switches, and others are examples of cyber-physical safety system controls.
For water and wastewater utilities, enforcing cybersecurity best practices is crucial. Cyber-attacks on key infrastructures, such as water and wastewater systems, are becoming more common.
Many critical infrastructure sites have had cybersecurity threats that have caused a commercial process or essential operation. This brief provides information to assist state primacy agencies in starting a conversation about cybersecurity issues with water systems.
A virtual Workshop named “Water Sector Cybersecurity Training and Response Exercises” offers training on water sector cybersecurity threats, vulnerabilities, consequences, best practices, resources, and program development online and at locations across the country. The seminars also feature guided reaction simulations for cybersecurity issues in the water sector.
Cyberattacks against water and wastewater utility corporations (WWS), as well as process control systems, can have severe consequences, such as:
- Attempt to hack into the provider's website or email system.
- Install dangerous programs, such as ransomware that can disrupt business operations or process control.
- You can disrupt treatment and conveyance operations by opening and closing valves, overriding alarms, or disabling pumps or other equipment.
- Customers' private info or credit card numbers are stolen from the utility's billing system.
The Internet has an impact on practically every aspect of our life. We can shop, bank, communicate with family and friends, and manage our medical data all from the comfort of our own homes.
You must give personally identifiable information (PII) such as your name, date of birth, account numbers, passwords, and location information to participate in these activities. To lessen the chance of becoming a victim of cybercrime, #BeCyberSmart when sharing personal information online.
Do Your Part. #BeCyberSmart.
Being Cyber Smart
In its 18th year, Cybersecurity Awareness Month continues to talk about the importance of cybersecurity throughout the United States, ensuring that all individuals have access to the resources they need to be safer and more secure online.
Don't succumb to peer pressure. The majority of emails that induce a sense of urgency or anxiety are phony. Take your time, read the entire email, and be wary: double-check the "from" address to ensure it's authentic.
Please stop and think about it. Before responding, have a look at the email. Is it surprising? Is the request logical? Contact the sender independently by phone or email (not replying to the email) when in doubt.
All in all, U.S. Environmental Protection Agency (EPA) is investigating hackers' potential to take control of pumps, valves, and hydrants and operate them, or to deliver inaccurate operational and water quality information to water system operators, endangering pipe integrity, water quality, and fire protection.
The findings of this research will be incorporated into future EPA guidance, tools, and training. The water sector, like other essential infrastructure, can be a target of cybersecurity threats and risks. Water and wastewater companies must implement cybersecurity methodologies.
Have you noticed how frequently security breaches, data theft, and privacy violations are in the front these days? Perhaps you or anyone you know has been a victim of cyber fraudsters who has taken personal information, banking credentials, or other sensitive information.
As these types of situations grow more common, it’s inevitable to be more aware.