For several months the White House, Cybersecurity and Infrastructure Security Agency (CISA), and other federal partners have been warning all U.S. organizations to be prepared for the potential for Russian state-sponsored cyber activity against our businesses and national critical infrastructure. The preparedness guidance has been informed by historical activity and incidents from Russian adversaries and issued out of an abundance of caution, until now. This afternoon, the White House issued a statement indicating there is now evolving intelligence that Russia may be exploring options for potential cyber attacks. This new assessment is accompanied with an emphasis to act now to protect against potential cyber attacks.

Additionally, CISA is convening an Unclassified "Broad Stakeholder Call" tomorrow, March 22, to address impacts of the Russia-Ukraine situation on the U.S. Homeland.

Call Details

• Date/Time: Tuesday, March 22, from 2 to 3 PM (EDT)
• Audience: Critical infrastructure partners and stakeholders
• Dial-in Information: 800-857-6546; Passcode: 2824553

Likewise, while the guidance hasn’t changed, emphasis and a greater sense of urgency is being placed on the following:

• Mandate the use of multi-factor authentication (MFA) on your systems to make it harder for attackers – including locking down privileged accounts and monitoring for anomalous account activity.
• Deploy modern security tools on your devices to continuously look for and mitigate threats.
• Make sure systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors.
• Back up your data and ensure you have offline backups.
• Understand and be proficient in incident response procedures (IRPs) and emergency plans before an incident occurs, including practicing IRPs in tabletop exercises with emphasis on being prepared to maintain continuity of operations, specifically for any ICS/OT dependencies that could be disrupted and the sustaining of manual operations to maintain critical functions.
• Encrypt your data so it cannot be used if it is stolen.
• Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly.
• Drop the threshold for the sharing of information regarding suspicious network activity – engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents. Organizations should report incidents and anomalous activity to CISA and/or the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Visit WhiteHouse.gov for the related Fact Sheet and Statement by President Biden.

For more detailed guidance, members are encouraged to regularly review CISA’s Shields Up, Shields Up Technical Guidance, and Known Exploited Vulnerabilities Catalog for updates, and previously published WaterISAC and EPA webinars and advisories for cybersecurity measures and relevant resources to protect against Russian state-sponsored cyber activity. Likewise, visit Russia Cyber Threat Overview and Advisories for an overview of CISA's assessments and reports of the Russian government’s malicious cyber activities.

Prior WaterISAC and EPA Advisories and Webinars

• Russian State-Sponsored Actors Combine Exploits to MFA Protocols and a Known Vulnerability
• U.S. EPA-WaterISAC Joint Notification on Protecting VSAT Networks and Communications
• Mandiant-WaterISAC Webinar: Critical Infrastructure Threats from Current Geopolitical Tensions
• U.S. EPA-WaterISAC Advisory on Potential Threat to Critical Infrastructure
• EPA-WaterISAC Webinar: Cybersecurity Recommendations in Consideration Russian State-Sponsored Cyber Operations Against U.S. Critical Infrastructure
• (TLP:AMBER) U.S. EPA-WaterISAC Advisory on Recommendations in Consideration of Russian Cyber Operations
• (TLP:WHITE) Joint Cybersecurity Advisory (AA22-011A) Issued to U.S. Critical Infrastructure for Understanding and Mitigating Russian State-Sponsored Cyber Threats

Incident Reporting
WaterISAC encourages all utilities that have experienced malicious or suspicious activity to email analyst@waterisac.org, call 866-H2O-ISAC, or use the confidential online incident reporting form. Reporting to WaterISAC helps utilities and stakeholders stay aware of the threat environment of the sector.