CISA: Joint Cybersecurity Advisory on Ongoing Cyber Threats to U.S. Water and Wastewater Systems

 

Joint Cybersecurity Advisory on Ongoing Cyber Threats to U.S. Water and Wastewater Systems

 

The Cybersecurity and Infrastructure Security Agency (CISA) partnered with the Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA) and National Security Agency (NSA) and released a Joint Cybersecurity Advisory about ongoing malicious activity targeting the U.S. Water and Wastewater Systems (WWS) Sector. The advisory informs leaders and operators in this sector on the various methods used by malicious cyber actors, potential weaknesses or practices that can enable a cyber breach, and recommended actions and best practices that should be taken to protect enterprise and control systems networks.

The FBI, CISA, NSA, and EPA want to highlight ongoing malicious cyber actors—both known and unknown—targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. WWS Sector facilities. This activity—which includes attempts to compromise system integrity via unauthorized access—threatens two National Critical Functions, the ability to supply water and the ability to manage wastewater.

WWS facilities may be vulnerable to common tactics, techniques, and procedures (TTPs) used by threat actors to compromise IT and OT networks, systems, and devices. For example, spearphishing is one of the most prevalent techniques used for initial access as personnel and their potential gaps in cyber awareness are often a point of vulnerability. Other potential weaknesses include exposing services to the internet, such as access applications; unsupported or outdated operating systems and software increasing the risk of compromise; control system devices with vulnerable firmware versions; and the absence of an organizational culture that fosters cyber readiness among WWS facilities, many of which have minimal staff.

The advisory provides several recommended mitigations in four categories, which are remote access, network, safety system, and planning and operational. It also includes additional best practices and resources offered at no-cost to the WWS Sector. Of note, the EPA offers support for cybersecurity measures with the Clean Water and Drinking Water State Revolving Funds. It also includes two new CISA resources,  Cyber Risks & Resources for the Water and Wastewater Systems Sector infographics that details both information technology and operational technology risks the WWS Sector faces and provides select resources.

Although this joint advisory is focused on the WWS Sector, all critical infrastructure sectors should review the advisory as much of the threat and mitigation information is applicable to all sectors. Organizations should read the advisory, assess your unique cybersecurity environment, and implement recommended mitigations for any observed security gaps or weaknesses.

The advisory can be found here and any support you and your organizations can do to amplify this joint advisory through your communications and social media channels is appreciated. And as always, thank you for your continued collaboration.

 

Thank you for sharing this information broadly.

Steve Lyddon
Protective Security Advisor, Region 5, Illinois
Cybersecurity and Infrastructure Security Agency
Cell:  217-299-3954 | steven.lyddon@cisa.dhs.gov