In this issue:

SPOTLIGHT

• FEMA Announces $1 Billion in Mitigation Funding

GENERAL SECURITY & RESILIENCE

• Latest National Terrorism Advisory Warns of Continued Heightened Threat Environment

• Concerns Over U.S. Terror Threat following Taliban’s Afghanistan Takeover

• Risk of Terrorist Group Propaganda Translating into Violence Remains High, according to Europol Assessment

• First-ever Water Shortage Declared on the Colorado River, Triggering Water Cuts

• Fred Makes Landfall as Tropical Storm, Causing Some Flooding and Power Outages

• FEMA Launches Full Application of the National Risk Index with More Customization and Reporting and Data Updates

CYBERSECURITY

• Phishing Campaign Leverages Legit DocuSign Email Notifications

• New Ponemon Study Finds the Annual Cost of Phishing Scams Has More Than Tripled Since 2015

• CISA ICS Vulnerability Advisories and Alerts, Updates, and Bulletins

WATERISAC EVENTS

• August 25: Water Sector Cyber Threat Web Briefing

UPCOMING EVENTS

• August 24: EPA Water Security Division Utility/Lab Talk Webinar

• August 26: EPA Sampling Guidance for Unknown Contaminants in Drinking Water Webinar

• August 26: EIS Council Webinar on EARTH EX // 21 for the Water and Wastewater Sector

• September 23, October 14, and November 9: EPA Facilitated Discussions on EARTH EX // 21

SPOTLIGHT ITEms

FEMA Announces $1 Billion in Mitigation Funding

FEMA has announced the beginning of the 2021 application cycle for its Building Resilient Infrastructure and Communities program. In the current cycle, BRIC will provide $1 billion in federal grant funds to state, local, tribal, and territorial governments to support activities in three categories: Capability- and Capacity Building, Mitigation Projects, and Management Costs. Eligible work within these categories include mitigation planning and partnership development, administrative costs associated with mitigation activities, and projects to “reduce damage and destruction to property, critical services, facilities, and infrastructure from natural hazards and the effects of climate change.” A range of project types will receive priority consideration, including infrastructure projects; mitigation projects that lessen risks to community lifelines such as the "Food, Water, Shelter" lifeline (which includes water and wastewater utilities); climate change- and resilience-focused projects; and projects that benefit disadvantaged communities. Read more and review the funding notice at WaterISAC.

GENERAL SECURITY AND RESILIENCE

Latest National Terrorism Advisory Warns of Continued Heightened Threat Environment

The Department of Homeland Security (DHS) issued a new National Terrorism Advisory System (NTAS) bulletin last Friday, August 13, warning of a heightened threat environment across the country. The twentieth anniversary of the September 11, 2001 attacks, upcoming religious holidays, and conspiracy theories propagating online could spur instances of targeted violence. The NTAS notes that possible threats could emanate from “domestic terrorists, individuals and groups engaged in grievance-based violence, and those inspired or motivated by foreign terrorists and other malign foreign influences.” These threat actors are increasingly utilizing online forums to introduce, amplify, and spread violent extremists narratives and promote violent activity. Additionally, these possible threats are fueled by the effects of the ongoing global pandemic, “including grievances over public health safety measures and perceived government restrictions.” Read more at WaterISAC.

Concerns Over U.S. Terror Threat following Taliban’s Afghanistan Takeover

The Taliban’s recent takeover of Afghanistan, which under the group's previous rule provided a safe haven to al Qa’ida when it orchestrated the 9/11 terror attacks, has raised fears that terrorist groups capable of threatening the U.S. homeland will thrive there anew. In June, Defense Secretary Lloyd Austin and Chairman of the Joint Chiefs of Staff General Mark Milley told senators they foresaw a “medium” risk that al Qa’ida could regain the capability to threaten the U.S. in “two years.” Milley also stressed at the time that “if certain other things happen, if there was a collapse of the government or dissolution of the Afghan security forces, that risk would obviously increase.” Indeed, Milley told senators Sunday that U.S. officials are expected to alter their earlier assessments given recent developments. A Taliban return doesn’t automatically translate into a return of al Qa’ida's bases and a subsequent platform for transnational terror attacks targeting Western countries, especially given statements made by the Taliban and leaders of countries and international organizations. But preexisting and new challenges may undermine their efforts. Read more at WaterISAC.

Risk of Terrorist Group Propaganda Translating into Violence Remains High, according to Europol Assessment

In a just released annual report on the Islamic State and al Qa’ida, Europol notes that 2020 was a critical moment in the evolution of both terrorist groups. It notes that both faced major blows and had to adapt to shifting realities to survive and stay relevant. Focusing in particular on their online propaganda, Europol assesses the risk of messaging from the groups being translated into violence remains high, as propaganda from both continues to call for lone actor attacks by individuals who have no physical connections to either. Among its key findings for the Islamic State, the report states that under new leadership the group is displaying increasing insurgent activity in its traditional heartlands and continuous global reach. And for al Qa’ida, it says the group continues to capitalize on current events to advance its ideological leanings, which are presented as “less extreme” in comparison to the Islamic State. Read the report at Europol.

First-ever Water Shortage Declared on the Colorado River, Triggering Water Cuts

Yesterday the U.S. Bureau of Reclamation made the first-ever federal declaration of a shortage for the Colorado River given low water levels in Lake Mead, a further demonstration of the severity of the ongoing drought in the region. Water in the reservoir, the largest in the Colorado River, is projected to be 1,065.85 feet above sea level on January 1, nearly 10 feet below a threshold that requires Arizona, Nevada, and Mexico to reduce their consumption in 2022. On Monday, it was just under 1,068 feet, or about 35 percent full. Under a system first agreed to in 1922, U.S. states and Mexico divide up water from the Colorado River, which is dammed and diverted in places to irrigate fields and lawns and deliver water to cities. The shortage declaration will have different impacts on those places under the terms of the agreement. Read more at WaterISAC.

Fred Makes Landfall as Tropical Storm, Causing Some Flooding and Power Outages

Fred made landfall yesterday near Cape San Blas, Florida as a strong tropical storm, with sustained winds of 65 mph and just 9 mph below Category 1 hurricane strength. As the National Hurricane Center (NHC) predicted, Fred brought heavy rains and caused significant flooding for some communities. The most significant impacts to critical infrastructure have been power outages, which affected over 36,000 customers in Florida yesterday evening but have since dropped to about 13,000. As of this morning, Fred was located over Georgia and had been downgraded to a tropical depression, with maximum sustained winds of 35 mph. The NHC reports Fred will move across western and northern Georgia today, across the southern Appalachian Mountains tonight, and into the central Appalachians by early Wednesday. It advised that heavy rainfall in these areas could lead to flash, urban, and small-stream and isolated river flooding. Read the advisory at the NHC.

WaterISAC has also posted to its portal FEMA’s Daily Operations Briefing, which provides more information on the forecast for Fred and response and preparatory measures by federal, state, and local governments.

FEMA Launches Full Application of the National Risk Index with More Customization and Reporting and Data Updates

Yesterday FEMA announced the full application launch of the National Risk Index, an online mapping tool that visually identifies traits of communities most at risk from natural hazards. It provides a holistic view of community risk by providing baseline relative risk scores. It measures a community’s risk for 18 natural hazards, in addition to resilience, social vulnerability, and expected annual loss. The Index helps users understand natural hazard risk and to support informed risk reduction decisions for mitigation planning and emergency management. By providing standardized risk data and an overview of multiple risk factors, the tool can help communities, especially those with limited flood mapping and risk assessment capabilities, prepare for natural hazards. The tool was originally released in November 2020 at a limited capacity. Now, fully available for use by state, local, tribal, and territorial partners, the Index includes the ability to generate more customized analyses and reports, including community risk profiles and risk comparison reports for any county or Census tract. The tool is free and designed to be easy to use, and data from the site can be downloaded. Read more and access the tool at FEMA.

CYBERSECURITY

Phishing Campaign Leverages Legit DocuSign Email Notifications

Cybercriminals are now leveraging legitimate document signature service platforms to conduct phishing scams according to recent reports. In this campaign, cybercriminals are utilizing free accounts from the cloud-based DocuSign service to trick email recipients into clicking on links that introduce malware into their systems and networks. Although researchers debate the novelty of this tactic, they all agree that these attacks are becoming more prevalent. According to the cybersecurity firm Ironscales, hackers are also using “Sharepoint, Google Dogs, Google forms, and other file download services” in addition to DocuSign to deliver phishing scams. There are several steps your organization could take to minimize your risk to these attacks. First, if you receive an email with a suspicious link from a colleague, confirm with them through an alternative communication channel that they are the actual sender. Second, you can hover your mouse over links and an email sender’s name to see if the link address or the sender matches the one displayed in the original message. Finally, scanning a file via API software can help thwart an attack. Read more at SC Magazine.

New Ponemon Study Finds the Annual Cost of Phishing Scams Has More Than Tripled Since 2015

A new study from the Ponemon Institute finds that the financial costs incurred from phishing scams has significantly increased over the past six years. The report, titled The Ponemon 2021 Cost of Phishing Study, concludes the average annual cost of a phishing scam in 2021 is approximately $15 million for a 9,600-employee organization, or around $1,500 per employee. The study also highlights that the inability for organizations to contain malware is one factor behind the increasing cost of phishing attacks. Additionally, credential compromises are significantly increasing the costs associated with phishing attacks. Over the past year, organizations experienced on average 5.3 compromises. Researchers estimate that IT personnel spend 2,050 hours investigating and responding to only one compromise. The report predicts that “successful phishing attacks will continue to increase as organizations struggle to secure a growing remote workforce due to the COVID-19 pandemic.” Read more and access the full report at Proofpoint.

CISA ICS Vulnerability Advisories and Alerts, Updates, and Bulletins

The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:

ICS Vulnerability Advisories:

• ThroughTek Kalay P2P SDK
• Advantech WebAccess/NMS - Product Used in the Water and Wastewater and Energy Sectors
• xArrow SCADA - Product Used in the Water and Wastewater and Energy Sectors
• Multiple RTOS (Update C)

Alerts, Updates, and Bulletins:

• BadAlloc Vulnerability Affecting Devices Incorporating Older BlackBerry QNX Products
• Apple Releases Security Update
• Drupal Releases Security Updates

WATERISAC EVENTS

Water Sector Cyber Threat Web Briefing

Wednesday, August 25, 2021; 2:00 - 3:00 p.m. ET

On August 25, WaterISAC will convene its monthly Water Sector Cyber Threat Web Briefing. Presenters will cover the latest cyber threats facing the water and wastewater sector.

Register at WaterISAC. (WaterISAC Members Only)

UPCOMING EVENTS

EPA Webinar: Water Security Division Utility/Lab Talk

Tuesday, August 24, 2021; 12:00 - 12:30 p.m. ET; webinar

To kick off National Preparedness Month in September, WSD is hosting a webinar focused on sharing stakeholder experiences with emergency preparedness and response. During the webinar, WSD will speak to Wilbur Frehner, Principal Laboratory Scientist at the Southern Nevada Water Authority, who participated in an Analytical Preparedness Full Scale Exercise (AP-FSE) in 2019. He will share his experience going through the exercise and provide information on how water utilities, state primacy agencies, environmental labs, and water association partners can collaborate to prepare for a real life, large-scale water contamination disaster. Register at EPA.

EPA Webinar: Sampling Guidance for Unknown Contaminants in Drinking Water

Thursday, August 26, 2021; 1:00 - 2:00 p.m. ET; webinar

By highlighting how to use the WLA’s Sampling Guidance for Unknown Contaminants in Drinking Water, this webinar will examine recommendations for pathogen, toxin, chemical, and radiochemical sample collection, preservation and transport procedures that support multiple analytical approaches for the identification of potential contaminants in drinking water. Participants will be presented with examples of what is required for a comprehensive sampling program, and how the guidance can be used to enhance laboratory, utility, and emergency responder preparedness by supplementing emergency response plans. Register at EPA.

EIS Council Webinar: EARTH EX // 21 for the Water and Wastewater Sector

Thursday, August 26, 2021; 1:00 - 2:00 p.m. ET; webinar

This is a special EARTH EX // 21 overview for the members of the water and wastewater sector. It will cover what EARTH EX // 21 is all about, the objectives, training opportunities, registration, and how to maximize the benefits of this exercise for members of the water and wastewater sector and their partners. Register at EIS Council. 

This webinar is part of a unique opportunity for water and wastewater utilities whereby EPA has partnered with the EIS Council for EARTH EX // 21. Specifically, EPA will convene three facilitated discussions for utility staff to encourage shared learning and joint problem-solving among participants. Read more about the opportunity at WaterISAC here; the three facilitated discussions are also included below.

EPA Facilitated Discussions: EARTH EX // 21 for the Water and Wastewater Sector

Thursday, September 23, 2021; 1:00 - 3:00 p.m. ET; webinar
Thursday, October 14, 2021; 1:00 - 3:00 p.m. ET; webinar
Tuesday, November 9, 2021; 1:00 - 3:00 p.m. ET; webinar

EPA invites utility staff to join three facilitated discussions about the EARTH EX // 21 exercise to encourage shared learning and joint problem-solving among participants. The series is intended to help water and wastewater utilities develop insights and findings from EARTH EX // 21 to improve their risk and resilience assessments and enhance their emergency response plans. Register at EPA.