Water treatment facilities named in joint cyber advisory

To help water and wastewater utilities protect their IT and operational technology systems from cyberattack, the FBI, Cybersecurity and Infrastructure Agency, Environmental Protection Agency and National Security Agency have issued a joint advisory and outlined steps facilities to take steps to defend themselves.

According to the Oct. 14 Joint Cybersecurity Advisory, water facilities tend to prioritize repair or replacement of physical infrastructure over that of IT/OT infrastructure. Additionally, because municipal systems are “inconsistently resourced,” they may not have staff or budget to maintain consistently high cybersecurity standards. As a result, these facilities become susceptible to common vulnerabilities such as insider threats, spearphishing attacks that deliver malicious payloads such as ransomware, and the exploitation of unsupported or outdated operating systems, software and vulnerable firmware.

The advisory cites a number of intrusions between 2019 and 2021, but noted that although cyber threats across critical infrastructure sectors are increasing, the advisory “does not intend to indicate greater targeting” of the water and wastewater sector. To secure these facilities -- including Department of Defense water treatment plants in the United States and abroad -- against the tactics, techniques and procedures used by cyber attackers, the advisory strongly urges organizations to implement the following measures:

• Monitor supervisory control and data acquisition (SCADA) systems for suspicious activities and indicators, such as being locked out of system controls, seeing unfamiliar data windows or system alerts or detecting abnormal operating parameters or access by unauthorized users.

• Limit remote access by requiring multi-factor authentication, enabling logging and auditing on remote access technologies, using manual start and stop features to reduce the time remote services are running and limiting the access a remote user can acquire.

• Secure networks by segmenting IT and OT networks, implementing DMZs and other solutions to prevent unregulated communication between the networks, updating network maps accounting for all connected equipment and removing devices not required for operations.

• Update emergency response plans and conduct exercises that consider the full range of impacts from a cyberattack -- from lack of control to safety threats -- and be able to switch to alternative control systems while assuming degraded communications.

• Install independent cyber-physical safety systems – such as geared valves and pressure switches -- that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor. The advisory also includes a number of common-sense mitigations, such as keeping software updates, conducting regular backups, enabling device authentications, staying on top of user accounts and regular training.

This article first appeared on GCN, a Defense Systems partner site.