Cybersecurity for Water and Wastewater Systems

Current Threat of Russian Cyberattacks

On March 21, the Biden Administration announced that evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks against the US. This is believed to be a retaliation against economic sanctions imposed on Russia by the US and its allies in response to Russia’s invasion of Ukraine.

The Cybersecurity and Infrastructure Security Agency (CISA) is particularly concerned about attacks against “lifeline” industries, including communications, healthcare, energy, and water. To address this, CISA launched a new program called Shields Up. See www.cisa.gov/shields-up

 

Water and wastewater systems are urged to take the following actions:

    • Follow cybersecurity best practices: use strong passwords and multi-factor authentication, back up data, and learn to identify and avoid dangerous emails and links
    • Create and practice a cyber emergency response plan
    • Test manual controls of equipment in case you need to take your system offline

If you experience an attack or notice unusual cyber activity of any sort, report it immediately to report@cisa.gov or (888) 282-0870

Water and wastewater systems have become targets for cyberattacks, according to a joint advisory released by the EPA, FBI, Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA). These attacks are expected to continue or increase in the United States and globally.

Jump to…

Learn

Recommended Actions

Free Assistance

Current Threat Assessments

Learn about Cybersecurity

Cybersecurity means taking action to guard your computer systems and data against unauthorized access that could result in theft, damage, or disruption of service. Potential damage caused by a cyberattack to a water or wastewater system includes lost productivity, operational disruption, the cost of ransom, the cost of repairing or installing new computer systems, theft of customer data, danger to public health or the environment, and loss of customer confidence.

The types of cyberattacks that pose the greatest threat to water and wastewater systems are ransomware, phishing, and outdated software/technology.

Ransomware is a malicious software (or “malware”) that is designed to block you from using your computer system or accessing your data until a ransom is paid. This could potentially shut down operations at your system. A computer can become infected with ransomware if you click a malicious internet link or email attachment. The criminal gains access to your computer system, blocks you from using it, and often asks for a large ransom payment. Watch a video about ransomware.

Phishing is an attempt to gain remote access, sensitive information, or payment through a fake email that is designed to look real. The email poses as a familiar person or company to try to get you to send personal information, passwords, or money, or trick you into clicking a malicious link or attachment that contains ransomware. (Phishing can also take the form of a phone call or text message.) If an employee falls victim to a phishing attack, the whole system is at risk of a cyberattack—so be sure all personnel are trained in cybersecurity. Watch a video about phishing.

Outdated software/technology are easy targets for hackers because the security may no longer be supported or effective. Hackers may be able to gain access to your system this way and block you from using your computers or steal your data. Keep your software up-to-date and use strong passwords and multifactor authentication.

There are also unintentional cyber incidents, such as if a fiber to your building is accidentally cut, leaving the utility without internet connection for an extended time.

Recommended Actions

Here are some steps you can take on your own to protect your facilities. For the more complicated aspects of cybersecurity, we encourage you to contact CISA or EPA for free assistance (see next section).

For All Personnel:

    • Learn to identify malicious emails, ransomware, and phishing
    • Use strong passwords and multi-factor authentication
    • Keep computers and other devices updated to the latest version
    • Report suspicious activity of any kind to the Vermont Intelligence Center at 844-848-8477 or the anonymous online tip line
    • If your system is under attack, call 911 or CISA’s 24/7 report line at 888-282-0870

For Managers:

    • Create an inventory of devices and the people who have access to them
    • Ensure your system’s physical security prevents unauthorized access to devices
    • Develop cybersecurity policies and procedures
    • Train all staff on cybersecurity best practices
    • Include cyber attacks in your Emergency Response Plan, and practice responding to a cyber incident
    • Have a cybersecurity risk assessment performed (see below for free options)
    • Consider hiring a cybersecurity company—they will have more expertise than an IT specialist

For IT/SCADA Technicians:

    • Keep devices and software programs updated to the latest version
    • Create an inventory of devices, software, networks, and the people who have access to them
    • Back up critical data
    • Use network firewalls
    • Restrict remote connections to SCADA systems
    • Turn off remote access software when not in use

Free Assistance

1. The Cybersecurity and Infrastructure Security Agency (CISA)  is a branch of the Department of Homeland Security that assists the nation’s critical infrastructure with physical security and cybersecurity. CISA can perform an assessment of your system and advise you on steps you can take to improve your cybersecurity. These services are free, voluntary, and non-regulatory. Find more information at www.cisa.gov/region-1 or email vulnerability_info@cisa.dhs.gov

2. In addition, EPA and the Horsley Witten Group are offering free cybersecurity assessments for some water and wastewater systems. They can also help you develop a cyber action plan. Find more information about this program here.

3. The Critical Infrastructure Defense Project is offering free products and services from three cybersecurity companies to hospitals, energy, and water utilities for at least four months (March through June 2022). This is in response to the current threat of Russian cyberattacks. See https://criticalinfrastructuredefense.org

Current Threat Assessments and Vulnerability Issues

3/21/22 The Biden Administration announced that evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks against the US. This is believed to be is a retaliation against economic sanctions imposed on Russia by the US and its allies in response to Russia’s invasion of Ukraine. Read the statement.

2/23/22 The current situation in Russia and Ukraine has the FBI and CISA warning of Russian state-sponsored cyber attacks on US critical infrastructure, including water and wastewater systems. Russia has a history of both low-sophistication attacks (such as fake emails and guessing password) and high-sophistication attacks, like targeting operational technology (OT) and industrial control systems (ICS) networks with destructive malware. Read more here.

2/9/22 Due to the globalized threat of ransomware, the US, Australia, and the United Kingdom released a joint advisory strongly encouraging every executive and leader to ensure their organization is taking appropriate action to reduce their risk of ransomware. Stopransomware.gov has resources on reducing risk to ransomware or responding to a ransomware attack. Read the Advisory.

11/22/21 The FBI and CISA remind organizations to continue cybersecurity best practices during the holiday season, citing a report that many of the most disruptive ransomware attacks in 2021 have occurred over holidays and weekends. Read the notice.

10/14/21 EPA, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) released a joint advisory warning of “ongoing malicious cyber activity…targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of water and wastewater systems”. Read the advisory.

5/20/21 US Department of Homeland Security (DHS) Office of Intelligence released an assessment stating that cyberattacks against water and wastewater systems are expected to increase in the United States and globally. The assessment said that cyber criminals may have the goal of receiving ransom payment or may be targeting the water sector in the context of a social/political conflict or ideological cause. Read the analysis.

5/14/21 Secretary of Homeland Security issued a bulletin on the heightened threat of domestic terrorism in the United States. It does not mention threats specific to water or wastewater systems, but it is still a good idea to review your utility’s physical security and Emergency Response Plan. The bulletin is in effect through August 13, 2021. Read the bulletin.

Recent Events

In February 2021, a hacker gained access to a chemical pump at a water treatment facility in Florida and attempted to increase the amount of sodium hydroxide in the water treatment process. An operator noticed the attack and was able to prevent any harm from happening. (Read more from CNN and NY Times and see EPA report below). And in fall 2020, a ransomware attack at the University of Vermont Medical Center interrupted operations for months. (Read more from VT Digger).

These events show that even at water and wastewater systems, even in Vermont, it is important to be alert and take precautions to protect your digital infrastructure, from email to bill payment to SCADA. (Read more from the St Albans Messanger.)

Cybersecurity Alert from EPA regarding Oldsmar Cyber Attack

Background
On 5 February 2021, unidentified cyber actors obtained unauthorized access, on two separate occasions, approximately five hours apart, to the supervisory control and data acquisition (SCADA) system used at a local municipality’s water treatment plant. The unidentified actors accessed the SCADA system’s software and altered the amount of sodium hydroxide, a caustic chemical, used as part of the water treatment process. Water treatment plant personnel immediately noticed the change in dosing amounts and corrected the issue before the SCADA system’s software detected the manipulation and alarmed due to the unauthorized change. As a result, the water treatment process remained unaffected and continued to operate as normal.

The unidentified actors accessed the water treatment plant’s SCADA controls via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process. All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system. Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.

Recommended Mitigation 

  • Restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network. One-way unidirectional monitoring devices are recommended to monitor SCADA systems remotely.
  • Install a firewall software/hardware appliance with logging and ensure it is turned on. The firewall should be secluded and not permitted to communicate with unauthorized sources.
  • Keep computers, devices, and applications, including SCADA/industrial control systems (ICS) software, patched and up-to-date.
  • Use two-factor authentication with strong passwords.
  • Only use secure networks and consider installing a virtual private network (VPN).
  • Implement an update and patch management cycle. Patch all systems for critical vulnerabilities, prioritizing timely patching of Internet-connected systems for known vulnerabilities and software processing Internet data, such as Web browsers, browser plugins, and document readers.

Last updated 3/23/22