The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding threat actors’ attempts to breach critical infrastructure networks. Cyberattacks on water and wastewater systems could have catastrophic impacts. Threat actors exploit internet-accessible Operational Technology (OT) and Industrial Control Systems (ICS) by targeting internet-exposed industrial devices using unsophisticated methods, such as brute force attacks and default credentials. The recent cyberattacks on water treatment facilities also
prompted the United States Environmental Protection Agency (EPA) to issue guidance to assist owners and operators of Water and Wastewater Systems (WWS) in evaluating their cybersecurity practices.

Earlier this year, the White House and the EPA solicited the assistance of state governors in safeguarding water systems from cyberattacks. In July, the United States government implemented sanctions against Russian cybercriminals in retaliation for their targeting of the Water and Wastewater Systems Sector. In recent years, Iranian and Chinese state- sponsored threat groups also targeted and breached US water systems. For instance, the Chinese state-sponsored threat group Volt Typhoon breached the networks of critical infrastructure organizations, including drinking water systems, and IRGC-affiliated threat actors infiltrated a Pennsylvania water facility.

Recommendations

• Use strong, unique passwords and enable MFA for all accounts where available, choosing authentication apps or hardware tokens over SMS text-based codes.
• Keep systems up to date and apply patches after appropriate testing.
• Implement cybersecurity best practices to reduce risk and increase resiliency to cyber threats.
• Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails.
• Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.
• Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs).
• Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from information technology (IT) environments.
• Perform scheduled backups regularly, keeping an updated copy offline in a separate and secure location and testing it regularly.
• Critical infrastructure administrators are encouraged to review analyses of recent state- sponsored cyber threat activity and apply recommendations provided in CISA’s joint fact sheet to prevent victimization.