Four US water and wastewater systems (WWS) plants have been hit by ransomware in the past 13 months, a new advisory from CISA noted late Thursday (October 14), including one incident that crippled the victim’s SCADA system and backup systems -- a reminder (lest the Colonial Pipeline shutdown hadn't "reminded" policy makers and business leaders enough) that critical infrastructure remains vulnerable to cyberattacks.
Emphasising that the report "does not intend to indicate greater targeting of the WWS Sector versus others" and that the US's WWS plants "commonly use outdated control system devices or firmware versions, which expose WWS networks to publicly accessible and remotely executable vulnerabilities", CISA pointed to five recent incidents, including four ransomware attacks and one incident involving a disgruntled former employee.
Wastewater ransomware attacks: The incidents
- "In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
- "In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer", CISA said. A closer look by The Stack at the incident suggests this was an attack on a small sewage plant running an obsolete Windows 7 system -- the computer shutdown stopped alarms that might alert workers if pumps overheat or tanks are overfilled, but as CISA notes, "The treatment system was run manually until the SCADA computer was restored using local control".
- "In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim’s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).
- "In September 2020, personnel at a New Jersey-based WWS facility discovered potential Makop ransomware had compromised files within their system," said CISA in the report.
A key priority for all plant operators (given the need for increased use of remote ops in the wake of the pandemic) is to properly assess and mitigate the risk posed by enhanced remote access, CISA notes, listing some common threat vectors like exposed RDP, unpatched software etc. and emphasising the need for multi-factor authentication "for all remote access to the OT network, including from the IT network and external networks."
While cybersecurity professionals and agencies like CISA may get tired of repeating the same messages ad nauseum, for many organisations, IT remains something of an afterthought and IT "teams" (where they exist: sometimes it's a one-person show; a dedicated cybersecurity specialist is even more of a rarity) are often stretched thin and among the first parts of a company to be cut when times are tight.
CISA's TTPs on the wastewater ransomware attacks and mitigations can be seen here.