A joint cybersecurity advisory was issued 25 October drawing attention to the vulnerability of US Water and Wastewater Systems (WWS) Sector facilities to “ongoing malicious cyber activity”.
Combining the analytical efforts of four federal agencies, - the FBI, NSA, CISA, and the EPA. – the advisory exposes network security weaknesses which threaten the ability of WWS facilities to provide clean water supplies to communities.
“This activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities” the advisory warns.
The advisory discloses three previously unreported ransomware attacks which hit WWS facilities in Nevada, Maine, and California earlier this year resulting in unauthorised file encryption.
Another three widely reported incidents from 2021 were also mentioned in the advisory including the attacks on facilities in San Francisco Bay Area, Oldsmar, Florida and the Belle Vernon Municipal Authority in Pennsylvania.
In Oldsmar, a hacker was able to gain access to the water system and adjust the chemical controls, increasing the amount of sodium hydroxide from a safe and usual 100 parts per million to a very unsafe level of over 11,000 parts per million. This was due to a collection of poor cyber security practices including the use of a shared password for remote access and the absence of a firewall.
Had the hack not been reversed, it is estimated that it would have taken 24 to 36 hours for the poisoned water to reach the city's population.
The advisory identifies both known and unknown actors to be behind the current threats, blaming outdated software systems as a main point of weakness.
CISA and the other three agencies, issued several recommendations to mitigate security threats such as implementing multi-factor authentication, firewalls and jump servers.
Improving cyber security has been a top priority for President Joe Biden, following the Colonial Pipeline hack that took down the largest fuel pipeline in the U.S and threatened to compromise oil supplies along the East Coast. In May 2021, President Biden signed an executive order to improve the nations cybersecurity and protect government networks.