CISA Issues Alert on Vulnerabilities Affecting US Water Systems

CISA Issues Alert on Vulnerabilities Affecting US Water Systems

This advisory is a joint effort by the FBI, CISA, EPA, and NSA. It emphasizes ongoing cyber risks from known and unknown sources targeting the IT and OT networks, systems, and devices of US water and wastewater systems (WWS) facilities. These threats, which include attempts to gain unauthorized access, put at risk the ability of WWS facilities to provide clean water and manage wastewater for their communities. Note: cyberattacks are rising across all critical infrastructure sectors. However, this advisory does not suggest that the WWS sector is being targeted more than others.  

To help protect WWS facilities, including Department of Defense water treatment sites in the US and overseas, CISA, FBI, EPA, and NSA strongly encourage organizations to follow the steps in the recommended mitigations section below.  

Technical Details 

Threat Overview 

Tactics, Techniques, And Procedures 

WWS facilities may be exposed to common attacker tactics, techniques, and procedures (TTPs). These are the methods attackers use to break into and control information technology (IT) and operational technology (OT) networks, systems, and devices. IT refers to computers and communications used for data processing, while OT refers to industrial equipment and systems that control physical processes, such as those that treat water or manage wastewater.  

  • Spear phishing, the practice of sending targeted emails to trick recipients into installing malicious software such as ransomware by clicking links or attachments, is a common tactic used by attackers [T1566].  

Spear phishing is one of the most common ways attackers first gain access to IT networks. Employees who are not fully aware of cyber risks can be a weak point. They might open harmful attachments or links in emails that have slipped past security filters. This action can allow attackers to run malicious software.  

When organizations connect to IT and OT systems, attackers can sometimes reach OT assets after breaking into the IT system through spear-phishing or other methods, whether intentionally or by accident.  

Attackers can exploit internet-connected services and applications that allow remote access to WWS (water and wastewater systems) networks [T1210].  

For example, attackers can exploit a remote desktop protocol (RDP) connection that is not securely connected to the internet to spread ransomware across a network. If RDP is used for process control equipment, this could likewise disrupt WWS operations.  

Note: the rise in remote work during the COVID-19 pandemic has likely made weaknesses in remote access more common.  

  • Exploitation of unsupported or outdated operating systems and software  

Attackers frequently target organizations that lack the resources or do not prioritize updating their IT and OT systems. WWS facilities usually spend more on replacing or repairing physical infrastructure, such as pipes, rather than modernizing IT or OT systems.  

Many WWS facilities are municipal systems with varying resources. Not all can maintain high cybersecurity standards. This can lead to the use of unsupported or outdated operating systems and software.  

  • Exploitation of control system devices with vulnerable firmware versions  

WWS commonly uses outdated control system devices or firmware, exposing WWS networks to publicly accessible, remotely exploitable vulnerabilities. Successful compromise of these devices may lead to loss of system control, denial-of-service attacks (preventing system access), or loss of sensitive data [T0827].  

WWS Sector Cyber Intrusions 

Cyber intrusions targeting US WWS facilities underscore vulnerabilities associated with the following threats:  

  • Insider threats from current or former employees who maintain improperly active credentials  
  • Ransomware attacks  

WWS cyber intrusions from 2019 to 2021 include:  

  • In August 2021, malicious cyber actors used the Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three Supervisory Control and Data Acquisition (SCADA) servers displayed a ransomware message.  
  • In July 2021, cyber actors used remote access to install the ZuCaNo ransomware on an underwater SCADA computer at a Maine-based WWS facility. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.  
  • In March 2020, cyber attackers used a known ransomware variant against a Nevada-based water and wastewater systems (WWS) facility. The ransomware affected the victim’s supervisory control and data acquisition (SCADA) system and backup systems. SCADA refers to computer systems that gather and analyze real-time data within industrial control systems. The SCADA system provides visibility and monitoring, but is not a full industrial control system (ICS). An ICS is a broader system that automatically manages industrial processes.  
  • In September 2020, personnel at a New Jersey-based WWS facility discovered that potential Makop ransomware had compromised files within their system.  
  • In March 2019, a former employee at the Kansas-based WWS facility unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer.  

Mitigations 

The FBI, CISA, EPA, and NSA recommend that WWS facilities, including DoD treatment sites in the US and abroad, use a risk-based approach to determine technical and non-technical steps to prevent, detect, and respond to cyber incidents.  

WWS Monitoring 

Staff who monitor WWS systems should watch for these signs of suspicious activity, which could point to a cyber threat:  

  • Inability of water and wastewater systems facility personnel to access SCADA system controls at any time, either entirely or in part;  
  • Unfamiliar data windows or system alerts appearing on SCADA system controls and facility data screens that could indicate a ransomware attack;  
  • Detection by SCADA system controls or water treatment staff of unusual operating parameters like chemical addition rates that are much higher than normal, used in treating drinking water;  
  • Access to SCADA systems by unauthorized individuals or groups. For example, former employees and current employees who are not authorized or assigned to operate SCADA systems and controls.  
  • Access to SCADA systems at unusual times, which may indicate that a legitimate user’s credentials have been compromised  
  • Unexplained SCADA system restarts  
  • Unchanging parameter values that normally fluctuate  

Remote Access Mitigations 

Note: because remote operations have increased during the COVID-19 pandemic, it’s even more important for asset owners and operators to review the risks of remote access and make sure they are acceptable  

  • Require multi-factor authentication for all remote access to the OT network, including from the IT network and external networks.  
  • Use blocklisting and allowlisting to limit remote access to users with verified business and/or operational needs.  
  • Ensure that all remote access technologies have logging enabled, and regularly audit these logs to identify instances of illicit access.  
  • Use manual start and stop features instead of always-activated unattended access to reduce the time remote access services run.  
  • Audit networks for systems using remote access services  
  • Close unneeded network ports associated with remote access services.  
  • When configuring access control for a host, utilize custom settings to limit the access a remote party can attempt to acquire.  

Network Mitigations 

Implement and ensure secure network segmentation between IT and OT networks to limit malicious cyber actors’ ability to move to the OT network after compromising the IT network. Network segmentation means separating networks into different zones, so a breach in one area does not easily allow access to other areas.  

  • Implement demilitarized zones, firewalls, jump servers, and one-way communication diodes to prevent unregulated communication between DIT and OT networks.  
  • Develop/update network maps to ensure full accounting of all network-connected equipment.  

Remove any equipment from networks that is not required for operations to reduce the attack surface that threat actors can exploit.  

Planning And Operational Mitigations 

Make sure your organization’s emergency response plan covers all cyberattack impacts like losing or changing system views, losing or changing control, and safety risks.  

  • Include third parties who access the OT network, such as plant engineers and vendors.  
  • Review, test, and update the emergency plan annually to keep it current.  

Practice switching to backups, including manual operation if electronic communications fail.  

Give employees a chance to practice decision-making through tabletop exercises that include scenarios where visibility is lost. Use resources like the EPA’s Cybersecurity Incident Action Checklist and the Ransomware Response Checklist on page eleven of the CISA/MS-ISAC Joint Ransomware Guide.  

Safety System Mitigations 

Set up independent cyber-physical safety systems. These prevent physical escalation in dangerous situations if a threat actor compromises control.  

Examples of cyber-physical safety system controls include:  

  • Size of the chemical feed pump  
  • Gearing on valves.  
  • Pressure switches also serve as controls.  

These controls help WWS sector facilities, especially smaller ones with less cybersecurity. Staff can review systems from a worst-case view and find new protections. With these safety systems, operators can act physically to limit damage. For example, they can stop cyber attackers who control a sodium hydroxide pump from raising the pH to dangerous levels.  

Additional Mitigations 

Build a workplace culture ready to address online threats. Check out the CISA Cyber Essentials and Resources section below for more guidance.  

Keep software up to date, including operating systems, applications, and firmware on IT network devices. Use a risk-based approach when choosing OT network devices and areas for the patch management program. You may also use a centralized patch management system.  

Set antivirus and anti-malware programs to scan IT devices regularly with the latest signatures. Use a risk-based inventory to decide how OT devices are checked for malware.  

Backup data regularly on both IT and OT networks. PS: Disconnected from the network to stop ransomware from spreading to them.  

When possible, turn on OT device authentication. Use encrypted OT protocols and encrypt all wireless communications. This keeps process control data private and authentic while it is sent.  

Use user account management to enable or rename any default system accounts wherever possible.  

  • Set up account lockout policies to reduce the risk of brute-force attacks. Create administrator-level accounts. Use strong account management policies and procedures.  
  • Have a user account policy that sets time limits for removing accounts after employees leave. Apply time limits for deactivating accounts after long periods of inactivity.  

Use data execution prevention controls. Apply tools like application allowlisting and software restriction policies to stop programs from running in common ransomware locations, such as temporary folders used by internet browsers.  

Train users with awareness programs and simulations to spot and report phishing and social engineering. Watch for unusual activity and suspend access if needed.

SourceOngoing Cyber Threats to U.S. Water and Wastewater Systems