Ongoing Threats to U.S. Water, Wastewater Systems, IT, OT Networks Prompt Warning
Four US Federal agencies – the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) issued a joint advisory warning of ongoing cyber security threats.
Cybercriminals use speaphishing to target employees and gain access to IT systems. Once they gain access the hackers then move laterally through the network to compromise OT systems if they are connected.
Due to COVID-19, corporations are increasingly using Remote Desktop Protocol (RDP) to allow employees to connect to work networks. Hackers attempt to exploit vulnerabilities in RDP applications and infect an IT system with ransomware.
“If the RDP is used for process control equipment, the attacker could also compromise WWS operations,” says the advisory.
WWS organizations tend to prioritize equipment over IT systems when it comes to allocating budget. Cybercriminals know this and target their operations.
Like any organization, security threats could also come from former employees who still have access to IT systems.
FBI, CISA, EPA, and NSA recommend WWS facilities use a risk-informed analysis
The advisory lists five major attacks on WWS facilities in since 2019. In one incident ransomware infected a California WWS facility. Three supervisory control and data acquisition (SCADA) servers were compromised with ransomware.
“To secure WWS facilities—including Department of Defense (DoD) water treatment facilities in the United States and abroad—against the TTPs listed below, CISA, FBI, EPA, and NSA strongly urge organizations to implement the measures described in the Recommended Mitigations section of this advisory,” says the joint advisory.
WWS Monitoring Personnel should check for the following suspicious activities
- Legitimate WWS personnel are locked out of systems
- Data windows or system alerts appearing on SCADA system controls
- Detection of abnormal operating parameters
- Access of SCADA systems by unauthorized users
- Indicators that SCADA systems user credentials are compromised
- Unexplained SCADA system restarts
- Unchanging parameter values that normally fluctuate.