- Federal authorities are warning about a rise in ransomware and other threat activity — from known and unknown actors — targeting local water and wastewater (WWS) facilities in the U.S. The threat actors are targeting IT and OT systems at these facilities using spear phishing attacks against unsuspecting personnel to gain network access.
- The joint advisory, from the FBI, the Cybersecurity & Infrastructure Security Agency (CISA), the Environmental Protection Agency and the National Security Agency, tracks attacks over the last two years. It follows an August attack against a California wastewater facility using the Ghost variant ransomware and a July attack against a Maine facility using ZuCaNo ransomware, which used remote access to enter the system.
- Threat actors are targeting systems with often outdated operating systems or unpatched software, the advisory said. Many of the facilities are underfunded or have not maintained adequate security controls and may be running industrial controls with vulnerable versions of firmware.
The attacks highlight an ongoing threat to vulnerable and underfunded infrastructure systems in the U.S., which have been targeted with increasing frequency in recent years by criminal and nation-state actors.
Last month, the FBI and CISA put out a warning about potential ransomware attacks against agricultural and food sites, and by September threat actors targeted at least two farm co-ops in Iowa and Minnesota.
"Recent ransomware incidents and ongoing threats demonstrate why all critical infrastructure owners and operators should make cybersecurity a top priority," Eric Goldstein, executive assistant director for cybersecurity at CISA, said in an emailed statement. "While vulnerabilities within the water sector are comparable to vulnerabilities observed across many other sectors, the criticality of water and wastewater infrastructure and recent intrusions impacting the sector reflect the need for continued focus and investment."
The battle against critical infrastructure attacks doesn't begin the day of the incident, Goldstein said but well before with proactive measures to prevent such attacks.
While federal authorities did not provide details of the exact locations of the attacks, the threat actors in most cases targeted the supervisory control and data acquisition (SCADA) servers, according to the advisory.
In the California attack, the Ghost ransomware variant was in the system for about a month when three SCADA servers displayed a ransomware message, according to the advisory. In a March 2021 attack in Nevada, an unknown ransomware variant was used to attack the facility's SCADA and backup systems.
Smaller critical infrastructure sites have ongoing problems with security operations, according to Claroty. During the pandemic, the sites were managed via remote access software as a way to provide safe oversight using a limited number of workers.
The water and wastewater treatment industry has taken steps to address some of these concerns. A July hearing before the Senate Committee on Environment and Public Works featured officials from local water utilities in Delmar, Delaware as well as the city of Boston.
Just last week, the committee held field hearings on water infrastructure in Dover, Delaware and Beckley, West Virginia.
Beyond the threat of ransomware, there is also a risk from insiders either failing to safeguard their credentials or acting in a malicious manner that threatens the safety of these systems. In April, a former employee was charged with trying to hack into the Post Rock Rural Water District in Kansas.
"Municipal utilities have a primary objective: to deliver safe, reliable service to the community," Carmen Garibi, director, critical infrastructure cybersecurity, risk management and compliance at 1898 & Co. "Achieving this objective requires designers and operators of water and wastewater treatment facilities to address a broad range of microbial, physical and chemical risk factors. Cybersecurity threats to the operational technology landscape should now be part of this list."