_Immediate Actions WWS Facilities Can Take Now to Protect Against Malicious Cyber Activity
• Do not click on suspicious links._
_• If you use RDP, secure and monitor it.
• _Use strong passwords.
• Use multi-factor authentication.
Note: This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) to highlight ongoing malicious cyber activity—by both known and unknown actors—targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. Water and Wastewater Systems (WWS) Sector facilities. This activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities. Note: although cyber threats across critical infrastructure sectors are increasing, this advisory does not intend to indicate greater targeting of the WWS Sector versus others.
To secure WWS facilities—including Department of Defense (DoD) water treatment facilities in the United States and abroad—against the TTPs listed below, CISA, FBI, EPA, and NSA strongly urge organizations to implement the measures described in the Recommended Mitigations section of this advisory.
Click here for a PDF version of this report.
WWS facilities may be vulnerable to the following common tactics, techniques, and procedures (TTPs) used by threat actors to compromise IT and OT networks, systems, and devices.
Cyber intrusions targeting U.S. WWS facilities highlight vulnerabilities associated with the following threats:
WWS Sector cyber intrusions from 2019 to early 2021 include:
The FBI, CISA, EPA, and NSA recommend WWS facilities—including DoD water treatment facilities in the United States and abroad—use a risk-informed analysis to determine the applicability of a range of technical and non-technical mitigations to prevent, detect, and respond to cyber threats.
Personnel responsible for monitoring WWS should check for the following suspicious activities and indicators, which may be indicative of threat actor activity:
Note: The increased use of remote operations due to the COVID-19 pandemic increases the necessity for asset owner-operators to assess the risk associated with enhanced remote access to ensure it falls within acceptable levels.
FBI, CISA, EPA, and NSA would like to thank Dragos as well as the WaterISAC for their contributions to this advisory.
CISA offers a range of no-cost cyber hygiene services—including vulnerability scanning and ransomware readiness assessments—to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats. By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors.
The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.
The StopRansomware.gov webpage is an interagency resource that provides guidance on ransomware protection, detection, and response. This includes ransomware alerts, reports, and resources from CISA and other federal partners, including:
For additional resources that can assist in preventing and mitigating this activity, see:
The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [email protected]. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected].
Initial Version: October 14, 2021|October 25, 2021: Corrected typo in Additional Resources
attack.mitre.org/versions/v9/techniques/enterprise/
attack.mitre.org/versions/v9/techniques/T1210/
attack.mitre.org/versions/v9/techniques/T1566/
collaborate.mitre.org/attackics/index.php/Technique/T0827
csrc.nist.gov/News/2015/NIST-Release-of-SP-800-167,-Guide-to-Application-W
csrc.nist.gov/News/2015/NIST-Release-of-SP-800-167,-Guide-to-Application-W
csrc.nist.gov/publications/detail/sp/800-82/rev-2/final
csrc.nist.gov/publications/detail/sp/800-82/rev-2/final
media.defense.gov/2021/Apr/29/2002630479/-1/-1/1/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
rewardsforjustice.net/english/malicious_cyber_activity.html
twitter.com/CISAgov
twitter.com/intent/tweet?text=Ongoing%20Cyber%20Threats%20to%20U.S.%20Water%20and%20Wastewater%20Systems+https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-287a
us-cert.cisa.gov/ncas/alerts/aa21-042a
us-cert.cisa.gov/ncas/tips/ST04-002
us-cert.cisa.gov/ncas/tips/ST04-014
us-cert.cisa.gov/ncas/tips/ST05-012
www.awwa.org/Resources-Tools/Resource-Topics/Risk-Resilience/Cybersecurity-Guidance
www.cisa.gov/blog/2019/08/21/cisa-insights-ransomware-outbreak-0
www.cisa.gov/control-systems-goals-and-objectives
www.cisa.gov/critical-infrastructure-sectors
www.cisa.gov/cyber-hygiene-services
www.cisa.gov/ncf-water
www.cisa.gov/publication/cyber-essentials-toolkits
www.cisa.gov/publication/cybersecurity-scenarios
www.cisa.gov/publication/insider-threat-mitigation-resources
www.cisa.gov/publication/ransomware-threat-to-ot
www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C.pdf
www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C_.pdf
www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C_.pdf
www.cisa.gov/stopransomware
www.cisa.gov/water-and-wastewater-systems-sector
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.epa.gov/cwsrf
www.epa.gov/dwsrf
www.epa.gov/waterriskassessment/epa-cybersecurity-best-practices-water-sector
www.epa.gov/waterriskassessment/epa-cybersecurity-best-practices-water-sector
www.epa.gov/waterriskassessment/epa-cybersecurity-best-practices-water-sector
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-287a&title=Ongoing%20Cyber%20Threats%20to%20U.S.%20Water%20and%20Wastewater%20Systems
www.fbi.gov/contact-us/field-offices
www.ic3.gov/Media/Y2018/PSA180927
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-287a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-287a
www.usa.gov/
www.waterisac.org/fundamentals
www.whitehouse.gov/
www.youtube.com/@cisagov
www.youtube.com/watch?v=D8kC07tu27A
mailto:?subject=Ongoing%20Cyber%20Threats%20to%20U.S.%20Water%20and%20Wastewater%20Systems&body=www.cisa.gov/news-events/cybersecurity-advisories/aa21-287a