In this issue:
- Business Email Compromise Meets Gift Card Fraud – Activity Reported in the Water and Wastewater Sector
GENERAL SECURITY & RESILIENCE
- Annual Terrorist Report Highlights Decrease in Lethality of Worldwide Terror Attacks, Increased Concerns about Far-Right Extremism
- Three Steps to Better Security at a Critical Infrastructure Facility
- WaterISAC Attends Event to Help Further Critical Infrastructure Security and Resilience
- (U//FOUO) NCTC Counterterrorism Weekly: November 29 – December 5, 2018
- Say It Isn’t So – Use of USBs in Industrial Environments
- Iranian Nationals Formally Charged for Atlanta Ransomware Attack
- Ransomware Will Soon Target Social Media Accounts and IoT Devices, According to Report
- GE Profidy (ICSA-18-340-01) – Product Used in the Water and Wastewater and Energy Sectors
- Rockwell Automation MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules (ICSA-18-310-02) – Products Used in the Water and Wastewater Sector
- Security Updates for Adobe and Apple
- January 23: Water Sector Cyber Threat Web Briefing
- December 11: EPA Webinar on Preparing for Sampling and Analysis in Response to Distribution System Contamination Incidents
- December 13: EPA Webinar on Water Contaminant Information Tool (WCIT)
- December 14: AWWA/Texas AWWA Webinar on America's Water Infrastructure Act
- December 18: EPA Webinar on Free Analytical Preparedness Full-Scale Exercise (AP-FSE) Toolkit
- January 8: EPA Webinar on Exercising Procedures for Responding to Contamination Incidents
- DHS IP Partnership Bulletin Events
Business Email Compromise Meets Gift Card Fraud – Activity Reported in the Water and Wastewater Sector
‘Tis the season for customer and employee appreciation, and some businesses will consider giving gift cards to express their gratitude. Therefore, it may be of little surprise that BEC fraudsters have increasingly been making payment requests in the form of gift cards. The FBI’s Internet Crime Complaint Center (IC3) recently reported a significant increase in the number of businesses that are victims to this kind of fraud. From January 2017 to this fall, the adjusted loss exceeded $1 million. The modus operandi is the same as the typical BEC scam, but instead of sending instructions for ACH or wire transfers, the perpetrator asks the victim to purchase and send images and codes for gift cards.
In addition, WaterISAC received a report from a member noting the scammer sent a series of poorly worded “urgent” messages from a spoofed Gmail account purporting to come from the utility’s general manager. The fraudster in this incident asked for two $500 Google Play gift cards, and to email photos of the cards, or type the codes in the email.
To help combat this threat, WaterISAC urges members to advise all employees of this variation of the BEC scam through their security awareness reminders. Likewise, if you have been victimized by this or any cyber fraud, the FBI requests that you report it to the IC3 or call your local FBI office. FBI.
GENERAL SECURITY AND RESILIENCE
Annual Terrorist Report Highlights Decrease in Lethality of Worldwide Terror Attacks, Increased Concerns about Far-Right Extremism
The Institute for Economics and Peace has just published the Global Terrorism Index 2018, the sixth edition of this annual report. It observes that worldwide deaths from terrorism fell for the third consecutive year, which it attributes to the decline of the Islamic State. Despite this decline, the report identifies the Islamic State as the world’s deadliest terrorist organization. Additionally, it notes that the number of terrorist attacks in Western Europe actually increased, although the lethality of these attacks decreased due to increased counterterrorism spending and security measures there. The report highlights far-right extremism as a growing concern, which has been substantiated by an increase in the number of deaths associated to attacks conducted by far-right extremist groups. Other recent reports have also emphasized the increasing threat of far-right extremism, including one from the Center for Strategic and International Studies and another from the Brennan Center for Justice at New York University’s School of Law (both of which were discussed in the November 27 SRU). The Global Terrorism Index reports use data from the Global Terrorism Database that is maintained by the National Consortium for the Study of Terrorism Responses to Terrorism (START) at the University of Maryland. Read more at WaterISAC.
Three Steps to Better Security at a Critical Infrastructure Facility
An article in Homeland Security Today presents a case study demonstrating the importance of critical infrastructure operators having a security program in place. In the case study, a man parked his van outside a sensitive facility for a prolonged period of time, telling the staff there that the van had broken down and that a tow truck was on its way. But when the tow truck didn’t arrive in a reasonable amount of time, the staff began implementing security protocols that eventually led them to call police. Given the facility’s sensitivity, local law enforcement conducted an expedited response, during which they discovered the van was registered to a person on a terrorist watch list. As highlighted by this real-world scenario, the facility had a security program with protocols in place, had trained its staff to these, and had partnered with law enforcement so that it understood the facility’s sensitivity and how it could work with the facility in a response. Getting to this point was the result of the facility having executed three steps the article underscores are necessary for a critical infrastructure facility’s security program: 1) Identify the purpose of the critical infrastructure program; 2) Form and write down goals or objectives; and 3) Measure and present progress. Homeland Security Today.
WaterISAC Attends Event to Help Further Critical Infrastructure Security and Resilience
The scenario described above exemplifies some of the great community efforts between facility operators, law enforcement agencies, and other partners to further critical infrastructure security. These efforts also include the 3rd Annual Security and Risk Management Symposium, which WaterISAC attended last week in Pittsburgh, Pennsylvania. Presenters at the event praised efforts that build critical infrastructure security and resilience by developing key relationships, noting that such activities had contributed to the effective response during the Tree of Life tragedy in Pittsburgh on October 27. The symposium was sponsored by the Pennsylvania Governor’s Office of Homeland Security and the Pennsylvania Region 13 Task Force, with the Allegheny County Sanitary Authority leading the planning and execution of the event. Other event partners included: American Water, Pennsylvania American Water, AWWA, Pennsylvania AWWA, Pennsylvania WARN, Texas AWWA, Texas WARN, PWEA, NACWA, E-ISAC, NERC, DHS, and the FBI, among others.
(U//FOUO) NCTC Counterterrorism Weekly: November 29 – December 5, 2018
The National Counterterrorism Center (NCTC) published its weekly report, covering recent terrorist and counterterrorism activities in the U.S. and worldwide. The “On Point” and “Trends, Tactics, and Procedures” sections cover terrorism and counterterrorism news. One of the items in the former section provides further details of the recent arrest of a man on the Italian island of Sardinia on charges that he was planning to poison water supplies. According to this report, which cites two news sources, the man had researched the aflatoxin B1 carcinogen and the metomil pesticide, which it appears he never actually acquired. This news item was initially covered by WaterISAC in its November 29 SRU, which cited initial reporting on this case that noted the man was planning to use anthrax and ricin. Read more at WaterISAC. FOR U.S. MEMBERS.
Say It Isn’t So – Use of USBs in Industrial Environments
Despite controls to prohibit usage of USBs within industrial environments, including a Federal Energy Regulatory Commission (FERC) order in April, employees often find a way around such constraints. Inspired by technology in use by 50 of its customers, Honeywell released its Industrial USB Threat Report highlighting the USB problem. Honeywell’s Industrial Cybersecurity Team stated the data showed a more serious threat than it had anticipated. The report highlighted that almost half of the customers using the technology detected and blocked at least one file with a security issue. In addition, 26 percent of detected threats were capable of significant disruption to the operations, including loss of view or loss of control. Somewhat surprising, among the threats detected on USBs were TRITON/TRISIS/Hatman, Mirai IoT botnet, WannaCry ransomware, and variants of Stuxnet. It seems that organizations still believe they are not a target. The report provides practical guidelines to help organizations curb this threat. Tripwire.
Iranian Nationals Formally Charged for Atlanta Ransomware Attack
Yesterday, a federal grand jury in Atlanta, Georgia indicted two Iranian men for executing the SamSam ransomware attack on the City of Atlanta. This indictment follows the one made last week by a federal grand jury in Newark, New Jersey, which formally charged the same two men for having executed the SamSam ransomware campaign, albeit in more general terms (as discussed in the November 29 SRU). Some of the impacts of the attacks and the actions Atlanta took in response are detailed in the press release regarding this latest indictment. U.S. Department of Justice.
Ransomware Will Soon Target Social Media Accounts and IoT Devices, According to Report
Managed service provider (MSP) Datto has just published its annual report on trends in ransomware, which is based on data it received from 2,400 IT professionals from around the world. Among other findings, the report notes that whereas 89% of MSPs are “highly concerned” about ransomware, just 36% of small and medium-sized businesses feel the same. Additionally, a majority of MSPs predict ransomware will move beyond targeting just PCs and servers and that it will soon be used to encrypt social media accounts and Internet of Things (IoT) devices. Datto also notes how difficult it can be to prevent ransomware, as 86% of victims had antivirus software and 65% had email and spam filters. Datto observes that these last set of numbers demonstrate the importance of businesses implementing a wide variety of cybersecurity measures rather than depending on one or a few. Cylance.
GE Profidy (ICSA-18-340-01) – Product Used in the Water and Wastewater and Energy Sectors
The NCCIC has released an advisory on an XXE vulnerability in GE Profidy. Cimplicity 9.0 R2, 9.5, and 10.0 are affected. Successful exploitation of this vulnerability could allow an attacker to initiate an OPC UA session and retrieve an arbitrary file. GE recommends users update to Version 2.1 or newer. The NCCIC also advises on a series of mitigating measures for this vulnerability. NCCIC/ICS-CERT.
Rockwell Automation MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules (ICSA-18-310-02) – Products Used in the Water and Wastewater Sector
The NCCIC has released an advisory on a missing authentication for critical function vulnerability in Rockwell Automation MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules. Numerous products and versions of these products are affected. Rockwell Automation recommends users of affected products update to an available firmware revision that addresses the associated risk. Users who are unable to update their firmware are directed towards additional risk mitigation strategies, some of which are provided by the NCCIC, and are encouraged to combine these with the general security guidelines to employ multiple strategies simultaneously, when possible. NCCIC/ICS-CERT.
Adobe Releases Security Updates
Adobe has released security updates to address vulnerabilities in Adobe Flash Player and Adobe Flash Player installer. An attacker could exploit some of these vulnerabilities to take control of an affected system. The NCCIC encourages users and administrators to review Adobe Security Bulletin APSB18-42 and apply the necessary updates. NCCIC/US-CERT.
Apple Releases Multiple Security Updates
Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. The NCCIC encourages users and administrators to review the Apple security pages and apply the necessary updates. NCCIC/US-CERT.
Water Sector Cyber Threat Web Briefing
Wednesday, January 23, 2019, 2:00 – 3:00 PM ET; webinar
On January 23, WaterISAC will convene its monthly Water Sector Cyber Threat Web Briefing. Presenters will cover the latest cyber threats facing the water and wastewater sector. Register at WaterISAC.
EPA Webinar – Preparing for Sampling and Analysis in Response to Distribution System Contamination Incidents
Tuesday, December 11, 2018; 1:00 – 2:00 p.m. ET; webinar
This webinar will provide an overview of capabilities necessary for field and laboratory response to a possible drinking water contamination incident. It will include a discussion of priority contaminants, analytical methods, emergency response sampling kits, and field testing equipment. Lessons learned from utility implementation of emergency response sampling and analysis capabilities will also be presented. WaterISAC has posted a flyer to its portal with additional information about this learning opportunity. Register at GoToWebinar.
EPA Webinar – Water Contaminant Information Tool (WCIT)
Thursday, December 13, 2018; 1:00 – 2:00 p.m. ET; webinar
The Water Contaminant Information Tool (WCIT) is a secure on-line database with comprehensive information about chemical, biological and radiochemical contaminants of concern for the Water Sector. WaterISAC members have direct, single-sign-on access to WCIT via the Contaminant Databases section of WaterISAC's portal. This training, intended for members of the water utility, laboratory and emergency response communities, covers:
- An overview of WCIT
- A description of the information contained within WCIT
- How the tool can be used
- The benefits of use for different stakeholders
AWWA/Texas AWWA Webinar – America's Water Infrastructure Act
Friday, December 14, 2018; 10:30 – 11:30 a.m. ET; webinar
Under the newly enacted America's Water Infrastructure Act (S. 3021; Public Law 115-270), drinking water systems will have to conduct risk and resiliency assessments and revise emergency response plans (read more about the law's stipulations at WaterISAC). To help utilities understand the requirements of this new legislation, AWWA and Texas AWWA are hosting a webinar in which they review the law's highlights and deadlines. The presenters include Kevin Morley, Manager of Federal Relations with AWWA, and Texas AWWA Executive Director Mike Howe. Attendees will learn more about more about key elements of the law's risk and resilience provisions, including approaches to support compliance and associated deadlines. The fee is $25 per person - you do not have to be a member of AWWA or Texas AWWA to register. Register at Texas AWWA.
EPA Webinar – Free Analytical Preparedness Full-Scale Exercise (AP-FSE) Toolkit
Tuesday, December 18, 2018; 1:00 – 2:00 p.m. ET; webinar
EPA’s newly released Analytical Preparedness Full-Scale Exercise (AP-FSE) Toolkit is a comprehensive guide to planning and executing a multi-organization exercise to simulate a water emergency, with a focus on tools and best practices for laboratory analytical support. This webinar, intended for members of the water utility, laboratory and emergency response communities, covers:
- How an AP-FSE can increase preparedness
- An overview of the contents and functionality of the Toolkit
- How you can get started planning an exercise of your own
- Available EPA support
EPA Webinar – Exercising Procedures for Responding to Contamination Incidents
Tuesday, January 8, 2018; 1:00 – 2:00 p.m. ET; webinar
This webinar will focus on the development of training and exercises to plan and prepare for responding to a distribution system contamination incident. The webinar will include utility experiences in designing and conducting exercises. WaterISAC has posted a flyer to its portal with additional information about this learning opportunity. Register at Eventbrite.
DHS IP Partnership Bulletin Events (November 6, 2018 Edition)
The U.S. Department of Homeland Security Office of Infrastructure Protection (IP) has published the latest version of its Partnership Bulletin, which provides a snapshot of upcoming training and exercise opportunities, critical infrastructure events, and key announcements. Some of the events include:
- The annual conference of the International City County Management Association (ICMA), which will be held in Nashville, Tennessee from October 20 to 23, 2019 (the last conference, conducted in Baltimore in September 2018, included a session on disaster recovery assessment);
- Russian Activity Against Critical Infrastructure Briefing, which was conducted in July 2018 and for which the recording is now available online;
- Corporate Security Symposia, which is intended to inform public and private sector audiences on the most challenging security issues the nation faces today, with convenings in Biloxi, Mississippi on March 20, 2019; Norfolk, Virginia on April 3, 2019; and Bentonville, Arkansas on August 14, 2019; and
- DHS Office of Bombing Prevention Training Courses, with both computer-based and in-person training opportunities on a variety of topics from now until late-December.