CISA posts incident response guide for water utilities

CISA warned of cyberthreats against the water and wastewater sector in an incident response guide published Thursday.

The incident response guide, which the U.S. cybersecurity agency published jointly with the FBI and Environmental Protection Agency, outlined cybersecurity best practices for water and wastewater sector (WWS) utility operators as well as how said operators can expect to work with the federal government. More than 25 organizations contributed to the report, including industrial security vendor Dragos, the American Water Works Association, the Trinity River Authority of Texas, Google and others.

"Malicious cyber actors have varying goals and capabilities, which can result in a wide range of threat activity. The dependency that many U.S. critical infrastructure sectors -- including Energy and Healthcare and Public Health -- have on the WWS makes the Sector a target for cyber threat actors," CISA said in the guide. "In targeting U.S. WWS critical infrastructure, malicious cyber actors conduct activities in alignment with their overarching goals, which may be financially and/or politically motivated. In recent years, various malicious cyber incidents have impacted WWS including, but not limited to, unauthorized access, and ransomware."

CISA's incident response guide includes multiple sections. In one dedicated to preparation, the cybersecurity agency urged information sharing, building an incident response plan, raising each organization's baseline security hygiene and building a WWS "cyber community." Examples of baseline security hardening include segmentation of IT and operational technology systems, keeping consistent and sufficient logging practices, and maintaining system backups.

CISA and the FBI included a section dedicated to the help they can offer WWS utility operators in the event of an incident. CISA said it can provide tailored guidance, technical support, forensics and malware analysis. The FBI, meanwhile, can deploy special agents as well as a "Cyber Action Team" (CAT).

"The rapid-response CAT comprises special agents and computer scientists who specialize in cyber incident response. The CAT provides investigative support and answers to critical questions that can quickly move a case forward," the guide read. "With advanced training in computer intrusions, forensic investigations, and malware analysis, the CAT can deploy across the country within hours to respond to major incidents. Upon activation from a case team, CAT will be onsite within 24 hours for locations in the continental United States (CONUS) and 48 hours for locations outside of the continental United States (OCONUS)."

The publication follows multiple attacks on WWS utility operators in recent months. For example, CISA last month detailed a campaign conducted by threat actors affiliated with the Iranian government. Using the persona "CyberAv3ngers," the actors exploited a vulnerability in Unitronics Vision Series programmable logic controllers and targeted systems belonging to utility operators in multiple U.S. states. Compromised systems were defaced with the message "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target." Unitronics is an Israeli company.

Threat intelligence vendor GreyNoise published a white paper Wednesday titled "Decoding 2023: A GreyNoise Retrospective on Internet Exploitation" that covers software vulnerability trends over the past 12 months. In a section dedicated to nation-state activity, the vendor called attention to the campaign and said it has continued to observe probes and exploitation attempts.

Bob Rudis, vice president of data science at GreyNoise, told TechTarget Editorial that attacks on WWS utilities were notable risks, but not yet major threats. He added that the vendor is in the process of standing up its telemetry to better track these kinds of attacks.

"I think it's something for people to be aware of. For municipalities trying to get funding, there's not a lot of money in cyber for those places to do proper defense, so we just wanted to [mention it] in the report to raise awareness," he said.

TechTarget Editorial has contacted CISA for additional comment.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.