Targeted are the information technology and the operational technology networks, systems, and devices of the WWS. The CISA cites three types of attacks being used in the above-mentioned incidents: spear-phishing; exploitation of outdated or unsupported operating systems and software; and manipulation of vulnerable firmware versions being run by control system devices. These incidents include “attempts to compromise system integrity via unauthorized access,” which the CISA states are a threat to “the ability of WWS facilities to provide clean, potable water, and effectively manage the wastewater of, their communities.”
The U.S. Water and Wastewater Systems Cyber Incidents
The joint advisory covers cyber intrusions from both current or former employees who still have active credentials and external threats, such as Ransomware attacks. These cyber intrusions include:
August 2021 — A California-based facility was targeted by Ghost ransomware. Ghost ransomware is designed to encrypt and rename data. Then the person or persons behind the attack demand payment for the tools required to decrypt the files. In this case, the ransomware was discovered when three supervisory control and data acquisition (SCADA) servers displayed a message demanding payment. July 2021 — A facility in Maine had their wastewater SCADA computer infected with the ZuCaNo ransomware when the system was unlawfully accessed by an outside party. Like the Ghost ransomware, ZuCaNo ransomware encrypts the affected data. However, instead of demanding payment for a decryption tool, a ransom is demanded for the decrypted data. The CISA’s advisory did not mention if payment was made on this attack. They did confirm that the treatment system was run manually until the affected computer was restored. March 2021 — A facility in Nevada was attacked by unknown ransomware. The systems affected were the SCADA system that provides visibility and monitoring, as well as the backup systems. September 2020 — A New Jersey-based facility’s files were compromised by potential Makop ransomware. Makop is a file-locking trojan that is harder to detect than other ransomware. March 2019 — An attack on the safety of drinking water was attempted on a Kansas-based facility by a former employee. The former employee attempted to use his user credentials, which were still active, to access a facility computer remotely. The attack was unsuccessful.
How the WWS is Mitigating Cyber Threats
CISA confirmed that WWS facilities have implemented a multiple-element mitigation plan to prevent, detect, and respond to cyber threats. WWS employees will be monitoring for various suspicious activities across multiple systems and levels. Additionally, they have implemented improved remote access security such as “multi-factor authentication for all remote access to the OT network.” Per the advisory, WWS facilities have also implemented improved network mitigation protocols such as “[implementing] and [ensuring] robust network segmentation between IT and OT networks to limit the ability of malicious cyber actors to pivot to the OT network after compromising the IT network.” They also plan to “develop/update network maps to ensure a full accounting of all equipment that is connected to the network.” Lastly, WWS facilities have implemented both procedural and physical cyber security improvements to secure the U.S. water and wastewater systems. Such steps — like ensuring that emergency response plans take all potential impacts into consideration, as well as installing independent cyber-physical safety systems — are just a small part of the organization’s in-depth plan to fight cyber security threats and keep the United States’ water safe.