In a follow up to White House statements on Monday, March 21, 2022 regarding evolving intelligence, the Cybersecurity and Infrastructure Security Agency (CISA) convened an unclassified call on Tuesday to address observed Russian Government preparatory cyber activity against the U.S. The call attracted more than 13,000 industry stakeholders and was held for an unprecedented three-hours where the majority of the call consisted of CISA and FBI officials answering attendee’s questions. If you were unable to attend, a recording of that call is available on CISA’s YouTube Channel – CISA Call with Critical Infrastructure Partners on Potential Russian Cyberattacks Against the U.S.

The brief from CISA encapsulated measures all organizations, especially vital lifeline sectors, including water and wastewater utilities should be diligent in proactively acting on the following:

1. Know your network and actively hunt and monitor for known Russian tactics, techniques, and procedures (TTPs).
   • AA22-011A – Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure should be used to reference the most current information on Russian TTPs, including currently known exploited vulnerabilities
   • (TLP:AMBER) FBI FLASH: Threat Actors Conducting Increased Reconnaissance of U.S. Energy Networks contains indicators and more technical details regarding scanning from Russian-based IP addresses
2. Mitigate known exploited vulnerabilities on public facing assets with the utmost urgency.
   • In addition to AA22-011A, the Known Exploited Vulnerabilities Catalog should be referenced for vulnerabilities that could be exploited on unpatched/unmitigated devices in your environment
3. Secure credentials, including disabling dormant accounts, changing passwords that could have been stolen, and implementing multifactor authentication (MFA) wherever possible – especially on critical accounts and assets.
   • In addition to CISA’s page on Multi-factor Authentication (MFA), AA22-074A – Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability contains important TTPs and mitigations
4. For entities with OT/ICS – note unexpected equipment behavior, such as unexplained reboots, etc.
   • Utilities are encouraged to refer to AA21-287A – Ongoing Cyber Threats to U.S. Water and Wastewater Systems for recommended guidance and mitigations
5. Be aware of threats to SATCOM and VSAT, for additional information, check out:
   • Strengthening Cybersecurity of SATCOM Network Providers and Customers
   • U.S. EPA-WaterISAC Joint Notification on Protecting VSAT Networks and Communications
6. Bolster resilience plans by exercising incident response plans (IRPs), designating a crisis response team, and testing extended manual operations of OT/ICS/SCADA systems.
   • AA21-287A – Ongoing Cyber Threats to U.S. Water and Wastewater Systems is helpful here too.
7. Report anomalous and suspicious activity quickly, including mis/dis/and malinformation, to at least one of the following:
   • CISA: Online tools | central@cisa.dhs.gov | (888)282-0870
   • FBI: Local field office | CyWatch@fbi.gov | (855)292-3937
   • WaterISAC: Online incident reporting form | analyst@waterisac.org | (866)H2O-ISAC

In addition to the aforementioned, previous guidance can be referenced on the WaterISAC Resource Center in Update from the White House – Act Now to Protect Against Potential Cyber Attacks.

Other Notable Related Resources from the White House and CISA

• FACT SHEET: Act Now to Protect Against Potential Cyberattacks
• Shields Up, Shields Up Technical Guidance, and Known Exploited Vulnerabilities Catalog
• AA22-011A – Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
• Russia Cyber Threat Overview and Advisories

Prior WaterISAC and EPA Notices, Advisories, and Webinars (which includes many references to all of the above)

• Don’t Panic, but Don’t be Complacent – Act Now to Protect the Services Americans Rely On Against Potential Cyber Attacks from Russian State-Sponsored Actors
• Update from the White House – Act Now to Protect Against Potential Cyber Attacks
• Russian State-Sponsored Actors Combine Exploits to MFA Protocols and a Known Vulnerability
• U.S. EPA-WaterISAC Joint Notification on Protecting VSAT Networks and Communications
• Mandiant-WaterISAC Webinar: Critical Infrastructure Threats from Current Geopolitical Tensions
• U.S. EPA-WaterISAC Advisory on Potential Threat to Critical Infrastructure
• EPA-WaterISAC Webinar: Cybersecurity Recommendations in Consideration Russian State-Sponsored Cyber Operations Against U.S. Critical Infrastructure
• (TLP:AMBER) U.S. EPA-WaterISAC Advisory on Recommendations in Consideration of Russian Cyber Operations
• (TLP:WHITE) Joint Cybersecurity Advisory (AA22-011A) Issued to U.S. Critical Infrastructure for Understanding and Mitigating Russian State-Sponsored Cyber Threats

Incident Reporting
WaterISAC encourages all utilities that have experienced malicious or suspicious activity to email analyst@waterisac.org, call 866-H2O-ISAC, or use the confidential online incident reporting form. Reporting to WaterISAC helps utilities and stakeholders stay aware of the threat environment of the sector.