Critical Infrastructure Security, Distributed Workforce

Feds warn of ongoing cyberattacks targeting water and wastewater companies

A water treatment facility in Florida. An industrial control system cybersecurity initiative established by the Biden administration for the electric and pipeline industries will be expanded to include critical infrastructure entities in the water and wastewater sectors. (Credit: Getty)

Companies in the water and wastewater sector are the latest industry to receive a warning from U.S. government agencies that malicious hackers are targeting their systems and equipment.

A joint alert by four federal agencies (FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency and the Environmental Protection Agency) said that companies in this sector continue to face “ongoing” targeting of their information technology and operating technology by both known and unknown malicious hacking groups.

“This activity — which includes attempts to compromise system integrity via unauthorized access — threatens the ability of [water and wastewater] facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities,” the agencies warned.

Ransomware, insider threats and shoddy access controls are at the heart of many threats against the water and wastewater industries. Since the onset of COVID-19, these facilities are also increasingly reliant on remote login tools, like Remote Desktop Protocols, that have been persistently targeted by ransomware actors and other hacking groups during the pandemic.

Like almost every industrial sector, these companies are vulnerable to spearphishing campaigns, vulnerabilities in old or unpatched legacy software and other common staples of the hacking world. And like those other sectors, water and wastewater facilities are understaffed and underresourced when it comes to cybersecurity.

In many cases, IT systems are connected to or integrated with operational technology that control physical machines, and getting access to one can sometimes be sufficient to compromise the other. The agencies highlight a number of security incidents — nearly all of them ransomware related — that have affected the sector since 2019:

Additionally, hackers attempted to poison a water treatment plant in Oldsmar, Florida, in February, while reporting from NBC News uncovered a similar attempt by unknown hackers against a water treatment plant in the San Francisco Bay Area in January.

If many of the tactics, techniques and procedures are relatively basic, so too is much of the mitigation advice the agencies dole out. Building in strong multifactor authentication protocols for accessing operational technology networks — including access requests from the same company’s IT network — can dramatically limit the amount of damage that a malicious actor can do to the actual machinery and the protocols they follow to treat and process clean water. So too can things like strong logging, blocklisting or allowlisting and network segmentation between IT and OT. They also recommend implementing “demilitarized zones” in the form of firewalls, jump servers, and one-way communication diodes to prevent IT and OT systems communicating in an unauthorized way.

Many of the incidents cited by the government involve compromise of supervisory control and data acquisition systems that monitor and manage machinery. To that end, the agencies recommend water and wastewater companies set up strict monitoring regimes and look for anomalous behavior or signs, like an inability for employees to gain access to those systems in whole or in part, unfamiliar data windows or system alerts, access at unusual times of the day and unexplained restarts.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.