Yesterday afternoon, the Cybersecurity and Infrastructure Security Agency (CISA) published a new CISA Insights urging organizations to immediately implement cybersecurity measures to protect against potential critical threats – CISA Insights: Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats. This notice is in response to the recent cyber events against Ukrainian government entities, including website defacements and the destructive NotPetya-style WhisperGate wiper malware, and continues to emphasize the ongoing concern and importance of protecting critical infrastructure from direct or indiscriminate attacks due to increased geopolitical tensions.

What Actions are Recommended for Water and Wastewater Systems?

Water and wastewater utilities are strongly encouraged to proactively protect against these threats and continue following EPA, WaterISAC, and other federal partner guidance, advisories, and webinars regarding Russian state-sponsored cyber threats. Regardless of the suspected direct targeting of Ukrainian infrastructure, water and wastewater utilities (and other critical infrastructure partners) could experience indiscriminate attacks similar to what occurred in the 2017 NotPetya incident.

Members can access the joint EPA-WaterISAC webinars here: EPA-WaterISAC Webinar: Cybersecurity Recommendations in Consideration Russian State-Sponsored Cyber Operations Against U.S. Critical Infrastructure. Likewise, water and wastewater system owners and operators should review the CISA Insights and other previously published advisories on the WaterISAC portal (additional links below).

In addition to requiring strong/unique passwords and implementing multifactor authentication (MFA), other key actions for water and wastewater systems include the following:

1. Identify Crisis Teams and Surge Support. Identify crisis teams and surge support for responding to an incident when there are gaps in organizational cybersecurity, such as overnight, weekends, and holidays. Likewise, teams should be familiar with incident response plans, including a resilience plan addressing how to operate if you lose access to or control of critical OT or IT systems – including the ability to sustain manual operations.
2. Backup Data. Implement and test data backup procedures on both IT and OT networks and ensure copies of backups are isolated (stored offline) from the network.
3. Network/Systems Awareness. Be alert for unusual behavior in operational technology (OT) or information technology (IT) systems, such as unexpected reboots of digital controllers and other OT hardware and software, and delays or disruptions in communication with field equipment or other OT devices. Likewise, it may be necessary to enhance logging to effectively investigate anomalous activity – including collecting more logs and increasing storage capacity and retention time.
4. Address known exploited vulnerabilities. This could include patching and/or additional controls such as network segmentation to protect vulnerable devices that cannot effectively be patched. CISA maintains a catalog of Known Exploited Vulnerabilities that utilities are encouraged to review to help prioritize identification and remediation of vulnerable systems within their environment.

Prior WaterISAC and EPA webinars and advisories

• EPA-WaterISAC Webinar: Cybersecurity Recommendations in Consideration Russian State-Sponsored Cyber Operations Against U.S. Critical Infrastructure
• (TLP:AMBER) U.S. EPA-WaterISAC Advisory on Recommendations in Consideration of Russian Cyber Operations
• (TLP:WHITE) Joint Cybersecurity Advisory (AA22-011A) Issued to U.S. Critical Infrastructure for Understanding and Mitigating Russian State-Sponsored Cyber Threats

Additional Resources

• Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure (AA22-011A)
• Russia Cyber Threat Overview and Advisories
• Protecting Against Malicious Cyber Activity before the Holidays (White House; 12/16/21)
• Joint Cybersecurity Advisory Ongoing Cyber Threats to U.S. Water and
  Wastewater Systems (CISA, FBI, NSA, EPA; 10/14/21)
• WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities
• EPA Cybersecurity Best Practices for the Water Sector
• AWWA Resources on Cybersecurity
• Proactive Preparation and Hardening to Protect Against Destructive Attacks (Mandiant)
• Actions to take when the cyber threat is heightened (NCSC)

WaterISAC Incident Reporting
WaterISAC encourages all utilities that have experienced malicious or suspicious activity to email [email protected], call 866-H2O-ISAC, or use the confidential online incident reporting form. Reporting to WaterISAC helps utilities and stakeholders stay aware of the threat environment of the sector.