A joint statement from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), the Environmental Protection Agency (EPA) and the National Security Agency (NSA) alerts U.S. water and wastewater (WWS) facilities to ongoing cyber threats to the sector.
Cyber threats to WWS facilities
The joint alert highlighted the threats of spearphishing and ransomware, insider risk and outdated operating systems and software to WWS facilities. The FBI, CISA, EPA and NSA noted the following cyberattacks on WWS systems that took place between 2019 and early 2021:
- California: Cyber actors attacked a WWS facility with Ghost variant ransomware, which was discovered after a month, when ransomware messages were displayed across three supervisory control and data acquisition (SCADA) servers.
- Maine: Cyberattackers remotely introduced ZuCaNo ransomware onto a wastewater SCADA computer, resulting in the wastewater treatment facility being run manually until the computer was secure.
- Nevada: Unknown ransomware affected a facility's SCADA and backup systems.
- New Jersey: Staff found that potential Makop ransomware had compromised files in a WWS facility's system.
- Kansas: A former employee unsuccessfully tried to threaten drinking water safety by using their unrevoked user credentials.
How WWS facilities can protect themselves
The joint alert suggests multiple mitigation strategies for WWS facilities to reduce their risk of cyberattack, including threat monitoring, using blocklisting and allowlisting to control remote employee access, reviewing and testing emergency response plans and more. Instituting multi-factor authentication, strong passwords, securing remote desktop protocol and avoiding suspicious links were all listed as suggestions for WWS systems to implement immediately.
The report highlighted that cyberattacks on critical infrastructure are on the rise, noting that WWS systems are not being attacked at a higher rate compared to other critical infrastructure sectors. Read the alert for more information on the threats and cyber risk mitigation tools.