The U.S. Cybersecurity Infrastructure and Security Agency (CISA) on Thursday warned of continued ransomware attacks aimed at disrupting water and wastewater facilities (WWS), highlighting five incidents that occurred between March 2019 and August 2021.
“This activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities,” CISA, along with the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the National Security Agency (NSA), said in a joint bulletin.
Citing spear-phishing, outdated operating systems and software, and control system devices running vulnerable firmware versions as the primary intrusion vectors, the agencies singled out five different cyber attacks from 2019 to early 2021 targeting the WWS Sector —
- A former employee at Kansas-based WWS facility unsuccessfully attempted to remotely access a facility computer in March 2019 using credentials that hadn’t been revoked
- Compromise of files and potential Makop ransomware observed at a New Jersey-based WWS facility in September 2020
- An unknown ransomware variant deployed against a Nevada-based WWS facility in March 2021
- Introducing ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer in July 2021
- A Ghost variant ransomware attack against a California-based WWS facility in August 2021
The advisory is notable in the wake of a February 2021 attack at a water treatment facility in Oldsmar where an intruder broke into a computer system and remotely changed a setting that drastically altered the levels of sodium hydroxide (NaOH) in the water supply, before it was spotted by a plant operator, who quickly took steps to reverse the remotely issued command.
In addition to requiring multi-factor authentication for all remote access to the operational technology (OT) network, the agencies have urged WWS facilities to limit remote access to only relevant users, implement network segmentation between IT and OT networks to prevent lateral movement, and incorporate abilities to failover to alternate control systems in the event of an attack.