CISA outlines cyberthreats targeting US water and wastewater systemsCISA listed multiple ransomware attacks on water facilities this year, inclu...CISA outlines cyberthreats targeting US water and wastewater systems
CISA listed multiple ransomware attacks on water facilities this year, including ones in California, Maine and Nevada.
By Jonathan Greig | October 14, 2021 | Topic: Security
In a new advisory, CISA has warned US water and wastewater system operators about an array of cyberthreats aimed at disrupting their operations. Cybersecurity company Dragos worked with CISA, the FBI, the NSA and the EPA to outline cyberthreats targeting the information and operational technology underpinning the networks, systems and devices of US water and wastewater facilities.
The warning also outlines a series of attacks that have happened this year, some of which were never reported previously.
CISA noted that the advisory was not an indication of the potential for increased attacks targeting this particular sector but was simply an effort to help water facility operators protect their systems.
The notice lists spearphishing as one of the most prevalent methods used by cybercriminals and nation-states to gain access to water systems, explaining that it is often deployed to deliver malicious payloads, including ransomware. CISA added that because IT and OT systems are often integrated together, access to one gives attackers access to the other.
CISA also mentioned exploitation of internet-connected services like RDPs as another tool used to attack water systems. With COVID-19, many water system operators use RDPs and other tools to access the systems remotely, leaving them vulnerable to outdated operating systems or software.
"WWS facilities tend to allocate resources to physical infrastructure in need of replacement or repair (e.g., pipes) rather than IT/OT infrastructure. The fact that WWS facilities are inconsistently resourced municipal systems -- not all of which have the resources to employ consistently high cybersecurity standards -- may contribute to the use of unsupported or outdated operating systems and software," CISA explained.
"WWS systems commonly use outdated control system devices or firmware versions, which expose WWS networks to publicly accessible and remotely executable vulnerabilities. Successful compromise of these devices may lead to loss of system control, denial of service, or loss of sensitive data."
The notice lists several recent attacks since 2019, including one in August 2021 that involved the Ghost ransomware being deployed against a facility in California. Attackers spent a month inside the system before putting up a ransomware message on three supervisory control and data acquisition servers.
An attack in July saw the ZuCaNo ransomware used to damage a wastewater facility in Maine and in March, a Nevada water treatment plant was hit with an unknown ransomware variant.
In September 2020, the Makop ransomware hit a New Jersey facility and another attack in March 2019 involved an attempt to threaten the drinking water of a town in Kansas.
CISA lists a number of things operators should look out for, including the inability to access certain SCADA system controls, unfamiliar data windows or system alerts, abnormal operating parameters and more.
They urged water facilities to put increased security controls around RDPs and implement "robust" network segmentation between IT and OT networks.
All facilities should have an emergency response plan and consider a wide range of impacts that a cyberattack may have on how systems function. CISA noted that there should also be systems in place that physically stop certain dangerous conditions from occurring even if a system is taken over.
Neil Jones, cybersecurity evangelist for Egnyte, told ZDNet that the recent attacks on water treatment plants in the Bay Area, Florida, and Pennsylvania, should be a wake up call that the country's critical food, utility and energy infrastructure are under direct threat from cyberattacks.
Jones said recent reports indicate that 1 in 10 waste or wastewater plants has a critical security vulnerability.