Gov agencies release security playbook for water system IT

Stay hydrated—CISA, the EPA, and the FBI just released a big security playbook for water and wastewater systems (WWS) facilities.

The joint effort’s IRG, or incident response guide, offers mitigation recommendations as the utilities face increased targeting from adversaries. Such suggestions from the agencies include answers to the classic question of: Who ya gonna call?

“The unique value of this joint IRG is that it provides WWS sector owners and operators information about the federal roles, resources, and responsibilities for each stage of the cyber incident response (IR) lifecycle. Sector owners and operators can use this information to augment their respective IR plans and procedures,” the introduction to the guide, which was published this month, read.

The recs, pulled together in collaboration with over 25 industry, nonprofit, and state/local government partners, focused on how to help utility pros through the four stages of incident response: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activities.

The guide reveals early warning signs that there’s trouble in the water:

• Unusual system behavior, like frequent crashes and pop-up displays
• Unfamiliar network activity, such as unexpected data transfers, connections to unknown IP addresses, or unauthorized access attempts
• Unexplained data loss, like the sudden disappearance of files
• Sudden network appearance of unknown devices or unauthorized access points

The 27-page guide (featuring links to standards and checklists) arrives as “nation-state cyber actors also have demonstrated an intent to target US WWS utilities,” CISA said, citing ransomware attacks on internet-facing operational technology (OT):

• July 2021: With remote-access capabilities, threat actors deployed ZuCaNo ransomware against a Maine-based facility and one of its OT network’s supervisory control and data acquisition (SCADA) computers.
• November 2023: The cyber actor group CyberAv3ngers, affiliated with the Iranian government’s Islamic Revolutionary Guard Corps (IRGC), targeted Israeli-made programmable logic controllers in US water facilities. “The cyber actors likely accessed the affected device by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet,” the writers of the agency-led report said.
• One incident not mentioned: Just this month, the UK-based Southern Water service company confirmed that ransomware attacks from the Black Basta group reportedly compromised data like identity documents, HR-specific info, and corporate car lease data.

The motives behind the water attacks may be financially or politically motivated, the agencies said, given the significant impact from a compromise to such critical, connected facilities.

“The dependency that many US critical infrastructure sectors—including energy and healthcare and public health—have on the WWS makes the sector a target for cyber threat actors,” the report read.