On Thursday, several US government agencies issued a coordinated alert to warn water and wastewater companies of ongoing cyberattacks. Three previously unreported ransomware attacks affecting industrial control systems (ICS) at water facilities are also described in the advisory.
The FBI, CISA, the EPA, and the NSA all issued the alarm. The agencies are aware of attacks on water facility IT and OT (operational technology) networks, which have been carried out by both known and unknown threat actors.
While cyber risks are expanding across critical infrastructure sectors, the recent notice does not imply that the water and wastewater industry is being targeted more than other sectors, according to the agencies.
The new alert discusses the threats posed by data, ransomware, network segmentation, network complexity, and system maintenance, as well as threat actors’ strategies, methods, and procedures (TTPs) for compromising IT and OT systems and networks. It also includes suggestions on how businesses should avoid, detect, and respond to cyber threats.
The alert also includes various examples of attacks carried out by hostile insiders and foreign threat actors during the last few years. Three occurrences that occurred this year and were not previously made public are among the examples. Supervisory control and data acquisition (SCADA) systems were harmed in each of these attacks.
In one incident in March, attackers targeted a water facility in Nevada with unknown ransomware. The malware damaged SCADA and backup systems, however the agencies stressed that the SCADA system was “not a full industrial control system,” since it just provided monitoring and visibility.
In July, a facility in Maine was the target of another incident. The ZuCaNo ransomware was used by hackers to infect a wastewater SCADA computer. “Until the SCADA computer was restored using local control and more frequent operator rounds, the treatment system was run manually,” the authorities said in their statement.
In August, the third newly revealed attack occurred. A form of malware known as Ghost was installed on the networks of a California water utility by threat actors. After the organisation detected three SCADA servers flashing a ransomware warning, the malware was identified about a month after the first breach.
Two known incidents from 2019 and 2020 are also described in the security notice, one of which involved an insider who was charged earlier this year.
According to the government, more than 150,000 public water systems provide drinking water to millions of Americans, and wastewater treatment facilities process around 34 billion gallons of wastewater each year. Water and wastewater systems are classified as national vital functions in the United States, and their disruption or corruption would “have a crippling effect on security, national economic security, national public health or safety, or any combination thereof,” according to the US.
The FBI, CISA, the EPA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a warning earlier this year when threat actors reportedly attempted to contaminate the water supply by gaining illegal access to a SCADA system at a drinking water treatment plant in Florida.