CISA, the FBI, and the Environmental Protection Agency (EPA) shared a list of defense measures U.S. water utilities should implement to better defend their systems against cyberattacks
The fact sheet they published today outlines the top eight actions U.S. Water and Wastewater Systems (WWS) sector organizations can take to reduce cyberattack risks and boost their resilience against malicious activity. It also details the free services, resources, and tools that can be used in support of these defense measures.
“CISA, EPA, and FBI urge all WWS Sector and critical infrastructure organizations to review the fact sheet and implement the actions to improve resilience to cyber threat activity,” the agencies said.
“Entities requiring additional support for implementing any of the actions outlined in the fact sheet, should contact EPAand/or their regional CISA cybersecurity advisor for assistance.”
Water utilities are advised to reduce exposure of key assets (including OT devices such as controllers and remote terminal units) to the public-facing internet and conduct regular cybersecurity assessments to understand the existing vulnerabilities within OT and IT systems.
They should also immediately change all default or insecure passwords and implement multifactor authentication (MFA) wherever possible, create inventories of OT/IT assets to understand their attack surface, and regularly back up OT/IT systems for easier recovery after a breach.
WWS facilities are also recommended to patch or mitigate known vulnerabilities to block exploitation attempts, develop and exercise cybersecurity incident response and recovery plans for faster reaction times in case of a compromise, and conduct annual cybersecurity awareness training to help employees understand how to prevent and respond to cyberattacks.
Critical water infrastructure worldwide under attack
Water facilities have been repeatedly targeted by cyberattacks in recent years, compromising the security of critical infrastructure and raising concerns about public safety.
Since the start of the year, several water treatment companies have been breached in ransomware attacks that forced them to shut down systems to contain the breaches, including Veolia North America and the U.K.’s Southern Water.
In response, CISA, the FBI, and the EPA have issued an incident response guide to help defenders secure water utilities.
In September, the U.S. cybersecurity agency also released a free security scan program to help critical infrastructure facilities like water utilities detect security gaps and secure systems from cyberattacks.
In November, CISA warned that hackers infiltrated a Pennsylvania water facility by exploiting vulnerable Unitronics programmable logic controllers (PLCs), although potable water safety for local communities remained uncompromised.
Over recent years, facilities within the U.S. Water and Wastewater Systems (WWS) Sector have been impacted by multiple breaches that led to Ghost, ZuCaNo, and Makop ransomware deployment.
These ransomware attacks impacted a South Houston wastewater treatment plan in 2011, a water company with outdated software and hardware equipment in 2016, the Southern California Camrosa Water District in August 2020, and a Pennsylvania water system in May 2021.