What we know about this incident has been widely published and shared across countless mediums - including a WaterISAC advisory to members yesterday - so we will not belabor posting every source.
The Federal Trade Commission (FTC) reflects on the top consumer frauds for 2020, noting that overall it was a busy year. According to the FTC, last year it received more than 2.2 million reports about fraud, with people collectively indicating they had lost nearly $3.3 billion. The top fraud of 2020 was imposter scams, with scammers showed up wearing many different hats – from that of a government official, to a known business, to a dear family member or friend.
Today is Safer Internet Day. With a theme once again of "Together for a Better Internet,” the organizers and supporters of this initiative call upon all stakeholders to join together to make the internet a safer and better place for all. While much of the focus of Safer Internet Day is on children and young people, this initiative still provides information and resources that can be useful for others, including representatives of organizations and industries.
Today officials in Florida announced that late last week an unknown malicious actor infiltrated a water treatment plant in the city of Oldsmar and made changes to chemical levels in the treatment process. Fortunately this activity was quickly observed by a plant operator and reversed. Officials indicated that the public was never in danger due to the operator's quick action as well as to other measures that would have prevented the release of the water into the distribution system.
In the interest of incident reporting it is important to be able to identify and differentiate types of incidents being reported. It is also important to be able to understand the difference between an actual attack and an unintentional incident that may have attack-like consequences. Given cross-sector dependencies, some water and wastewater utilities closely track and apply NERC CIP regulations even though they aren’t required. NERC CIP 008-6 became mandatory on January 1, 2021 and requires bulk power system utilities to report attempts to compromise their infrastructure and operations.
In another reference to WaterISAC's 15 Cybersecurity Fundamentals for Water and Wastewater Utilities, you may recall this topic being discussed at #6 Install Independent Cyber-Physical Safety Systems. Consequence-driven Cyber-informed Engineering (CCE) is an advanced topic for critical infrastructure organizations, but one that shouldn't be overlooked.
As stated in #3 Minimize Control System Exposure in WaterISAC's 15 Cybersecurity Fundamentals for Water and Wastewater Utilities, critical infrastructure site assessments performed by CISA for the water and wastewater sector cite the most commonly identified network weakness is a lack of appropriate boundary protection controls. Furthermore, as Armis reminds, per NIST, network segmentation and segregation is one of the most effective architectural concepts that an organization can implement to protect ICS.
The National Institute for Standards and Technology (NIST) has published guidance that can be used by organizations to protect highly sensitive data from advanced persistent threat (APT) actors, including those affiliated with nation-states. NIST’s Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST SP 800-171, offers a set of tools designed to counter the efforts of state-sponsored hackers and complements another NIST publication.
As part of its Tech Tuesday series, the FBI's Portland, Oregon office has published an article on building a digital defense against cryptocurrency scams. This article was prompted by the FBI’s Internet Crime Complaint Center having received numerous tips recently from people who received threatening messages demanding digital currency. The targeted victim receives an email from a person or group alleging that they committed some crime that involved the theft of virtual funds from the scammer. The threat actor makes a series of threats demanding the victim pay him back.
View the Security Awareness Compendium for Identity Theft Awareness Week on topics such as protecting digital lives, rethinking passwords, research on the cybercrime email infrastructure, and a business email compromise (BEC) investigation resource you NEED to have at your fingertips!
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
