Federal agencies have issued a joint advisory to warn about ongoing cyber threats to U.S. water and wastewater systems. Ensuring the supply of drinking water and wastewater services is essential to protect public health, the environment, and the economy. Attacks to water and wastewater systems (WWS) can result in illnesses, casualties and/or a denial of service that would impact other critical services, such as firefighting and healthcare, and interdependent sectors.
The advisory results from analyses by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA), and highlights ongoing malicious cyberactivity targeting information technology (IT) and operational technology (OT) networks, systems, and devices of water and wastewater facilities.
The alert states both known and unknown actors are responsible for the malicious cyber activity, and it includes attempts to compromise system integrity via unauthorized access, threatening the ability of water and wastewater systems to provide clean, potable water to, and effectively manage the wastewater of, their communities. It also notes that “although cyber threats across critical infrastructure sectors are increasing, this advisory does not intend to indicate greater targeting of the WWS sector versus others.”
The threats include ransomware attacks, experienced by several water and wastewater facilities in 2020 and 2021 across the country, and other threats that come from inside, from current or former employees who maintain improperly active credentials. In March 2019, a former employee at a Kansas-based WWS facility unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer.
To prevent, detect and respond to cyber threats, the FBI, CISA, EPA, and NSA recommend WWS facilities use a risk-informed analysis to determine the applicability of a range of technical and non-technical mitigations, including:
- Personnel responsible for monitoring WWS should check for suspicious activities and indicators;
- Remote access mitigations, such as requiring multi-factor authentication for all remote access to the OT network, including from the IT network and external networks;
- Network mitigation, such as implementing and ensuring robust network segmentation between IT and OT networks;
- Planning and operational mitigations, ensuring the emergency response plan considers the full range of potential impacts that cyberattacks pose to operations;
- Independent cyber-physical safety systems, allowing operators to take physical steps to limit the damage.