The Federal Bureau of Investigation (FBI), which was recognized in the 2020 ‘ASTORS’ Awards Program for Excellence in Homeland Security, along with the Cybersecurity and Infrastructure Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA), have released a joint advisory alert highlighting ongoing malicious cyber activity, by both known and unknown actors, targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. Water and Wastewater Systems (WWS) Sector facilities.
This activity, which includes attempts to compromise system integrity via unauthorized access, threatens the ability of U.S. Wastewater System (WWS) facilities to provide clean, potable water, and effectively manage the wastewater of, their communities.
Note: although cyber threats across critical infrastructure sectors are increasing, this advisory does not intend to indicate greater targeting of the WWS Sector versus others.
To secure WWS facilities, including Department of Defense (DoD) water treatment facilities in the United States and abroad, against the tactics, techniques, and procedures (TTPs) listed below, CISA, FBI, EPA, and NSA strongly urge organizations to implement the measures described in the Recommended Mitigations section of this advisory.
“Adversaries are targeting critical infrastructure like water treatment plants, pipelines and power plants for one reason – they want to cause disruption, damage and inflict harm,” explains Shawn Henry, President of Services and CSO at CrowdStrike (and former Executive Assistant Director, FBI’s Criminal, Cyber, Response and Services Branch)
“These actors are getting more aggressive and using tried and true techniques, including phishing, exploiting unsupported or outdated operating systems and software, ransomware and targeting control systems that may have vulnerable firmware.”
“The protection of critical infrastructure is a national security issue the public and private sector must take seriously.”
“CrowdStrike recommends a multi-pronged approach to combat these threats, to increase cyber resiliency against threat actors who continue to push the envelope by targeting critical infrastructure sectors we all rely on every day:”
-
Multi-factor authentication for all remote access to the OT network, including from the IT network and external networks
-
Continuous monitoring of networks on both the IT and OT level 24/7/365
-
Proper log management and privileged access management is implemented for all remote systems
-
Ensure an emergency response plan is in place
“Proactively securing the environment – to detect anomalous behavior in advance of an incident – is critical to avoiding a breach and protecting our networks. Anything short of that will most likely lead to catastrophic consequences.”
Technical Details
Threat Overview
Tactics, Techniques, and Procedures
WWS facilities may be vulnerable to the following common TTPs used by threat actors to compromise IT and OT networks, systems, and devices.
-
Spearphishing personnel to deliver malicious payloads, including ransomware [T1566].
-
Spearphishing is one of the most prevalent techniques used for initial access to IT networks. Personnel and their potential lack of cyber awareness are a vulnerability within an organization. Personnel may open malicious attachments or links to execute malicious payloads contained in emails from threat actors that have successfully bypassed email filtering controls.
-
When organizations integrate IT with OT systems, attackers can gain access—either purposefully or inadvertently—to OT assets after the IT network has been compromised through spearphishing and other techniques.
-
Exploitation of internet-connected services and applications that enable remote access to WWS networks [T1210].
-
For example, threat actors can exploit a Remote Desktop Protocol (RDP) that is insecurely connected to the internet to infect a network with ransomware. If the RDP is used for process control equipment, the attacker could also compromise WWS operations. Note: the increased use of remote operations due to the COVID-19 pandemic has likely increased the prevalence of weaknesses associated with remote access.
-
-
-
Exploitation of unsupported or outdated operating systems and software.
-
Threat actors likely seek to take advantage of perceived weaknesses among organizations that either do not have—or choose not to prioritize—resources for IT/OT infrastructure modernization. WWS facilities tend to allocate resources to physical infrastructure in need of replacement or repair (e.g., pipes) rather than IT/OT infrastructure.
-
The fact that WWS facilities are inconsistently resourced municipal systems—not all of which have the resources to employ consistently high cybersecurity standards—may contribute to the use of unsupported or outdated operating systems and software.
-
-
Exploitation of control system devices with vulnerable firmware versions.
-
WWS systems commonly use outdated control system devices or firmware versions, which expose WWS networks to publicly accessible and remotely executable vulnerabilities. Successful compromise of these devices may lead to loss of system control, denial of service, or loss of sensitive data [T0827].
-
WWS Sector Cyber Intrusions
Cyber intrusions targeting U.S. WWS facilities highlight vulnerabilities associated with the following threats:
-
Insider threats, from current or former employees who maintain improperly active credentials
-
Ransomware attacks
WWS Sector cyber intrusions from 2019 to early 2021 include:
-
In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
-
In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.
-
In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim’s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).
-
In September 2020, personnel at a New Jersey-based WWS facility discovered potential Makop ransomware had compromised files within their system.
-
In March 2019, a former employee at Kansas-based WWS facility unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer.
(2021 ‘ASTORS’ Awards Finalist Mission Secure Inc. (MSi) for Best ICS/SCADA Cyber Security, is a leading industrial control system (ICS) cybersecurity company protecting clients in maritime, industrial, autonomous vehicles, smart cities and defense industries from cyber attacks. The patented MSi Platform is the only end-to-end ICS cybersecurity solution with visibility and protection down to Levels 0-1. Courtesy of Mission Secure and YouTube.)
Mitigations
The FBI, CISA, EPA, and NSA recommend WWS facilities, including DoD water treatment facilities both in the United States and abroad, use a risk-informed analysis to determine the applicability of a range of technical and non-technical mitigations to prevent, detect, and respond to cyber threats.
WWS Monitoring
Personnel responsible for monitoring WWS should check for the following suspicious activities and indicators, which may be indicative of threat actor activity:
-
Inability of WWS facility personnel to access SCADA system controls at any time, either entirely or in part;
-
Unfamiliar data windows or system alerts appearing on SCADA system controls and facility data screens that could indicate a ransomware attack;
-
Detection by SCADA system controls, or by water treatment personnel, of abnormal operating parameters—such as unusually high chemical addition rates—used in the safe and proper treatment of drinking water;
-
Access of SCADA systems by unauthorized individuals or groups, e.g., former employees and current employees not authorized/assigned to operate SCADA systems and controls.
-
Access of SCADA systems at unusual times, which may indicate that a legitimate user’s credentials have been compromised
-
Unexplained SCADA system restarts.
-
Unchanging parameter values that normally fluctuate.
-
Require multi-factor authentication for all remote access to the OT network, including from the IT network and external networks.
-
Utilize blocklisting and allowlisting to limit remote access to users with a verified business and/or operational need.
-
Ensure that all remote access technologies have logging enabled and regularly audit these logs to identify instances of unauthorized access.
-
Utilize manual start and stop features in place of always activated unattended access to reduce the time remote access services are running.
-
Audit networks for systems using remote access services.
-
Close unneeded network ports associated with remote access services (e.g., RDP – Transmission Control Protocol [TCP] Port 3389).
-
-
When configuring access control for a host, utilize custom settings to limit the access a remote party can attempt to acquire.
Network Mitigations
-
Implement and ensure robust network segmentation between IT and OT networks to limit the ability of malicious cyber actors to pivot to the OT network after compromising the IT network.
-
Implement demilitarized zones (DMZs), firewalls, jump servers, and one-way communication diodes to prevent unregulated communication between the IT and OT networks.
-
-
Develop/update network maps to ensure a full accounting of all equipment that is connected to the network.
-
Remove any equipment from networks that is not required to conduct operations to reduce the attack surface malicious actors can exploit.
-
Planning and Operational Mitigations
-
Ensure the organization’s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and threats to safety.
-
-
The plan should also consider third parties with legitimate need for OT network access, including engineers and vendors.
-
Review, test, and update the emergency response plan on an annual basis to ensure accuracy.
-
-
Exercise the ability to failover to alternate control systems, including manual operation while assuming degraded electronic communications.
-
Allow employees to gain decision-making experience via tabletop exercises that incorporate loss of visibility and control scenarios. Utilize resources such as the Environment Protection Agency’s (EPA) Cybersecurity Incident Action Checklist as well as the Ransomware Response Checklist on p. 11 of the
CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
Safety System Mitigations
-
Install independent cyber-physical safety systems.
-
These are systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor.
-
Examples of cyber-physical safety system controls include:
-
Size of the chemical feed pump
-
Gearing on valves
-
Pressure switches, etc.
-
-
These types of controls benefit WWS Sector facilities, especially smaller facilities with limited cybersecurity capability, because they enable facility staff to assess systems from a worst-case scenario and determine protective solutions.
-
Enabling cyber-physical safety systems allows operators to take physical steps to limit the damage, for example, by preventing cyber actors, who have gained control of a sodium hydroxide pump, from raising the pH to dangerous levels.
-
Additional Mitigations
-
Foster an organizational culture of cyber readiness. See the CISA Cyber Essentials along with the items listed in the Resources section below for guidance.
-
Update software, including operating systems, applications, and firmware on IT network assets. Use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program. Consider using a centralized patch management system.
-
Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
-
Implement regular data backup procedures on both the IT and OT networks.
-
Regularly test backups.
-
Ensure backups are not connected to the network to prevent the potential spread of ransomware to the backups.
-
-
When possible, enable OT device authentication, utilize the encrypted version of OT protocols, and encrypt all wireless communications to ensure the confidentiality and authenticity of process control data in transit.
-
Employ user account management to:
-
Remove, disable, or rename any default system accounts wherever possible.
-
Implement account lockout policies to reduce risk from brute-force attacks.
-
Monitor the creation of administrator-level accounts by third-party vendors with robust and privileged account management policies and procedures.
-
Implement a user account policy that includes set durations for deactivation and removal of accounts after employees leave the organization or after accounts reach a defined period of inactivity.
-
-
Implement data execution prevention controls, such as application allowlisting and software restriction policies that prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers.
-
Train users through awareness and simulations to recognize and report phishing and social engineering attempts. Identify and suspend access of users exhibiting unusual activity.
FBI, CISA, EPA, and NSA are expressing thanks to Dragos and the WaterISAC for their contributions to this advisory.
Resources
Cyber Hygiene Services
CISA offers a range of no-cost cyber hygiene services, including vulnerability scanning and ransomware readiness assessments—to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats.
By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors.
Rewards for Justice Reporting
The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure.
See the RFJ website for more information and how to report information securely.
(Alejandro Mayorkas, the Secretary of the Department of Homeland Security, introduces the one stop federal resources to help mitigate against ransomware attacks. Learn more at https://www.StopRansomware.gov. Courtesy of CISA and YouTube.)
StopRansomware.gov
The StopRansomware.gov webpage is an interagency resource that provides guidance on ransomware protection, detection, and response.
This includes ransomware alerts, reports, and resources from CISA and other federal partners, including:
-
CISA and MS-ISAC: Joint Ransomware Guide
-
CISA Insights: Ransomware Outbreak
-
CISA Webinar: Combating Ransomware
(The Cybersecurity and Infrastructure Security Agency (CISA) hosts webinars on a variety of salient cybersecurity topics. To learn more and sign up for alerts about future webinars, visit https://us-cert.gov/resources. Courtesy of CISA and YouTube.)
To Learn More or access a PDF version of the report, Click here.
Mission Secure Named a Finalist in 2021 ‘ASTORS’ Homeland Security Awards
Special Early Luncheon Registration Discount Ends November 1
American Security Today’s ‘ASTORS’ Homeland Security Awards program is today in its Sixth Year and continues to recognize the Outstanding Innovations of top firms and agencies in the Homeland Security and Public Safety fields.
The Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program highlighting the most cutting-edge and forward-thinking security solutions coming onto the market today, to ensure our readers have the information they need to stay ahead of the competition, and keep our Nation safe – one facility, street, and city at a time.
American Security Today is pleased to announce TSA Administrator David Pekoske, will join the organization as a featured speaker at the 2021 ‘ASTORS’ Homeland Security Awards Presentation Luncheon, on November 17, 2021 at ISC East in New York City.
“On the heels of an unprecedented global pandemic, continued unrest in our cities and potentially catastrophic cyberattacks on our nations critical infrastructure, the focus of the 2021 ‘ASTORS’ Awards Luncheon will be on the latest, state-of-the-art innovations that are driving investments in new public security and safety technologies and systems,” said AST Editorial and Managing Director Tammy Waitt.
“As a recognized expert in crisis management, strategic planning, innovation and aviation, surface transportation and maritime security, David Pekoske’s message highlighting his top priorities and challenges for the TSA based on his years of wide-ranging experience will be critical to our attendees internalizing the critical nature of these escalating challenges, and realizing innovative new approaches to meet them.”
The 2021 ‘ASTORS’ Awards Program is Proudly Sponsored by AMAROK, Fortior Solutions and SIMS Software, along with Returning Premier Sponsors ATI Systems, Attivo Networks, Automatic Systems, and Reed Exhibitions.
At ISC East 2021 you with the opportunity to interact with a broad array of security industry professionals.
ISC East works closely with other businesses in the security and public safety space to help bring together the Northeast’s largest security trade show each year.
In collaboration with premier sponsor SIA (Security Industry Association) and in partnership with ASIS NYC, ISC East is proud to work with and be supported by various associations, trade publications, charities, and more.
Therefore, the ISC audience of security dealers, installers, integrators, consultants, corporate, government and law enforcement/first responder practitioners will be joined by the ASIS NYC audience of major corporate managerial-through-director-level national and global security executives.
The combination of one-on-one conversations with the industry’s top innovators, integrators and security executives, special events, high-quality education and training, and strong support from industry associations, will allow attendees to learn and evaluate solutions from leading security exhibitors and brands.
With the integration of the Natural Disaster and Emergency Management (NDEM) Expo, the show is moving even further into our reader’s wheelhouse!
Your ‘ASTORS’ Awards Luncheon registration includes complimentary attendee access to ISC East, NDEM and the ASIS NYC Security Conference and Expo!
Thank take advantage of this exclusive luncheon opportunity to take a break from the show – Invite your team, guests, clients and show visitors to a lovely and affordable plated meal event in the heart of New York City, for a fabulous networking opportunity!
Special Early Luncheon Registration Discount Ends November 1
Go to https://americansecuritytoday.com/product/awards-luncheon/ to secure your seat or reserve a table.
***Early Registration Discount Ends November 1. Limited space available so Register Today. There will be no on-site registrations.
Why American Security Today?
The traditional security marketplace has long been covered by a host of publications putting forward the old school basics to what is Today – a fast changing security landscape.
The traditional security marketplace has long been covered by a host of publications putting forward the old school basics to what is Today – a fast changing security landscape.
American Security Today is uniquely focused on the broader Homeland Security & Public Safety marketplace with over 75,000 readers at the Federal, State and local levels of government as well as firms allied to government.
American Security Today brings forward a fresh compelling look and read with our customized digital publications that hold readers eyes throughout the story with cutting edge editorial that provides solutions to their challenges.
Harness the Power of the Web – with our 100% Mobile Friendly Publications
The AST Digital Publications is distributed to over 75,000 qualified government and homeland security professionals in federal, state and local levels.
‘PROTECTING OUR NATION, ONE CITY AT A TIME’
AST Reaches both Private & Public Experts, essential to meeting these new challenges.
Today’s new generation of public safety and security experts need real-time knowledge to deal with domestic and international terrorism, lone wolf attacks, unprecedented urban violence, shifts in society, culture and media bias – making it increasingly difficult for Homeland Security, Law Enforcement, First Responders, Military and Private Security Professionals to implement coordinated security measures to ensure national security and improve public safety.
These experts are from Government at the federal, state and local level as well as from private firms allied to government.
AST provides a full plate of topics in our AST Monthly Magazine Editions, AST Website and AST Daily News Alerts, covering 23 Vital Sectors such as Access Control, Perimeter Protection, Video Surveillance/Analytics, Airport Security, Border Security, CBRNE Detection, Border Security, Ports, Cybersecurity, Networking Security, Encryption, Law Enforcement, First Responders, Campus Security, Security Services, Corporate Facilities, and Emergency Response among others.
AST has Expanded readership into integral Critical Infrastructure audiences such as Protection of Nuclear Facilities, Water Plants & Dams, Bridges & Tunnels, and other potential targets of terrorism.
Other areas of concern include Transportation Hubs, Public Assemblies, Government Facilities, Sporting & Concert Stadiums, our Nation’s Schools & Universities, and Commercial Business Destinations – all enticing targets due to the large number of persons and resources clustered together.
To learn more about the 2020 ‘ASTORS’ Homeland Security Award Winners solutions, Check Out the New 2020 ‘ASTORS’ CHAMPIONS Edition Fully Interactive Magazine – the Best Products of 2020 ‘A Year in Review’.
The Annual CHAMPIONS edition includes a review of the ‘ASTORS’ Award Winning products and programs, highlighting key details on many of the winning firms products and services, includes video interviews and more.
It is your Go-To source throughout the year for ‘The Best of 2020 Products and Services‘ endorsed by American Security Today, and can satisfy your agency’s and organization’s most pressing Homeland Security and Public Safety needs.
From Physical Security (Access Control, Critical Infrastructure, Perimeter Protection and Video Surveillance Cameras and Video Management Systems), to IT Security (Cybersecurity, Encryption, Data Storage, Anti-Malware and Networking Security – Just to name a few), the 2020 ‘ASTORS’ CHAMPIONS EDITION has what you need to Detect, Delay, Respond to, and Mitigate today’s real-time threats in our constantly evolving security landscape.
It also includes featured guest editorial pieces from some of the security industry’s most respected leaders, and recognized firms in the 2020 ‘ASTORS’ Awards Program.
-
For a complete list of 2020 ‘ASTORS’ Award Winners, click here.
For more information on All Things American Security Today, and the 2021 ‘ASTORS’ Awards Program, please contact Michael Madsen, AST Publisher at mmadsen@americansecuritytoday.com.
AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:
- Provides named sources
- Reported by more than one notable outlet
- Includes supporting video, direct statements, or photos
