Articles

FBI, NSA, CISA and EPA warn of drinking water system compromise

A joint alert issued by four federal US agencies warns organizations in the water and wastewater management sector to remain on high alert in regards to potential cyber security compromise. Threat actors with unauthorized access may manipulate systems so as to prevent the provisioning of clean, potable water to America’s communities.

What to know…details

A combination of poor access controls, legacy systems, remote access capabilities, ransomware and insider threats contribute to the concerns expressed by federal agencies. In particular, Remote Desktop Protocols have been continuously targeted by threat actors in recent months.

Water and water treatment facilities also face phishing, spearphishing and malware campaigns that threaten to overwhelm understaffed and under-resourced industrial complexes. To complicate matters, in many cases, IT systems are tethered to operational technologies, which manipulate physical machines. As it stands, a cyber attack on IT systems can compromise OT systems and vice-versa.

Attempted poisoning 2021

In February of this year, a cyber criminal gained unauthorized access to a water treatment plant’s computer systems in Oldsmar, Florida. The hacker managed to change system settings, resulting in an excessive volume of sodium hydroxide set to enter the water supply. A lone staffer managed to catch the issue before it could cause damage. On the heels of this episode, NBC News reported a similar incident in California, which had occurred in January of 2021.

Up until this point, the attack types employed have been relatively elementary, but cyber criminals may engage in more sophisticated attack types that could slip past chemical and security controls. Many of the mitigation tactics recommended are tried and true; building strong multi-factor authentication protocols, monitoring access requests, strong logging protocols, blocklisting or allowlisting, network segmentation between IT and OT…etc. Experts also suggest that water treatment facilities implement “demilitarized zones,” meaning firewalls, jump servers and one-way communication diodes that can prevent unauthorized communications between IT and OT systems.

US federal agencies recommend that water and wastewater groups establish strict monitoring regimes. Similarly, they should take meticulous and scrupulous care in searching for and reporting anomalous behavior or suspicious activities. Technology professionals should look for employee access at odd times, unfamiliar data windows or system alerts, and any unexplained system restarts.

In conclusion

For more on this story, visit SC Media. To read about the Oldsmar water incident, click here. Lastly, for more cyber security and business insights, analysis and resources, sign up for the Cyber Talk newsletter.

Back to top button