NEWS

Cross-Connection Control & Backflow Prevention ASSE Certification Courses

LEARN MORE

Online Training
Get the training you need, even when you can’t get away.

LEARN MORE

DIAMOND CORPORATE SPONSOR

GOLD CORPORATE SPONSOR

GOLD CORPORATE SPONSOR

Cybersecurity Recommendations in Consideration of the CISA/FBI/NSA Advisory on Russian State-Sponsored Cyber Operations Against U.S. Critical Infrastructure

On December 16, 2021, the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and the National Security Agency (NSA) issued a joint advisory on Russian state-sponsored cyber operations against United States critical infrastructure (see attachment for advisory AA21-350B).

 

CISA INSIGHTS – Preparing For and Mitigating Potential Cyber Threats

 

What is the Purpose of the CISA/FBI/NSA Joint Advisory?

The joint advisory describes commonly observed tactics, techniques, and procedures; detection actions; incident response guidance; and mitigations. It is intended to help critical infrastructure reduce the risk presented by these threats and to encourage the adoption of a heightened state of awareness during the holidays (a time when many disconnect from work).

The joint advisory complemented a December 15, 2021 CISA Insights publication – Preparing For and Mitigating Potential Cyber Threats. It asserted that due to persistent cyber-threats from sophisticated actors, including nation-states and their proxies, critical infrastructure owners and operators should take immediate steps to strengthen their computer network defenses. These actors have the capability to leverage network access for targeted operations with the potential to disrupt critical infrastructure functions.

 

What Actions are Recommended for Water and Wastewater Systems?

Water and wastewater system owners and operators should review the attached joint advisory and assess how to apply the recommended detection, incident response, and mitigation actions to their operations. Key actions for water and wastewater systems include the following:

1) Require Strong, Unique Passwords. Malicious cyber actors repeatedly use stolen or easily guessed credentials. Consider forcing a global reset of all passwords in your environment before staff begin taking time off.

2) Implement Multi-Factor Authentication. After changing passwords, make implementing multi-factor authentication (MFA) a priority. MFA significantly reduces your risk from almost all opportunistic attempts to gain entry into your systems.

3) Address known exploited vulnerabilities. This could include patching and/or additional controls such as network segmentation to protect vulnerable devices that cannot effectively be patched. CISA maintains a catalog of Known Exploited Vulnerabilities that utilities are encouraged to review to identify vulnerable systems. Also, prioritize network segmentation to prevent unauthorized access to your operational technology (OT) systems from the internet and to reduce connectivity between OT and vulnerable information technology (IT) systems.

4) Surge Support. Identify surge support for responding to an incident. Malicious cyber actors are known to target organizations on weekends and holidays when there are gaps in organizational cybersecurity.

5) Network/Systems Awareness. Be alert for unusual behavior in OT and IT systems, such as unexpected reboots of digital

controllers and other OT hardware and software, and delays or disruptions in communication with field equipment or other OT devices. Enhance logging to investigate anomalous activity – including collecting more logs and increasing storage capacity and retention time.

6) Backup Data. Implement and test data backup procedures on both IT and OT networks and ensure copies of backups are isolated (stored offline) from the network.

7) Incident Response Plans. Create, maintain, and exercise a cyber incident response and continuity of operations plans.

8) Manual Operations. Have a resilience plan that addresses how to operate your system if you lose access to or control of critical OT or IT systems – including the ability to sustain manual operations for extended periods.

 

Additional Resources

• Protecting Against Malicious Cyber Activity before the Holidays (White House; 12/16/21)

https://www.whitehouse.gov/briefing-room/statements-releases/2021/12/16/protecting-against-malicious-cyber-activity-before-the-holidays/

• Joint Cybersecurity Advisory Ongoing Cyber Threats to U.S. Water and Wastewater Systems (CISA, FBI, NSA, EPA; 10/14/21)

https://www.waterisac.org/portal/tlpwhite-joint-advisory-regarding-ongoing-cyber-threats-us-water-and-wastewater-systems

• WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities

https://www.waterisac.org/fundamentals

• U.S. EPA Cybersecurity Best Practices for the Water Sector

https://www.epa.gov/waterriskassessment/epa-cybersecurity-best-practices-water-sector

• AWWA Resources on Cybersecurity

https://www.awwa.org/Resources-Tools/Resource-Topics/Risk-Resilience/Cybersecurity-Guidance

 

WaterISAC Incident Reporting WaterISAC encourages all utilities that have experienced malicious or suspicious activity to email analyst@waterisac.org, call 866-H2O-ISAC, or use the confidential online incident reporting form. Reporting to WaterISAC helps utilities and stakeholders stay aware of the threat environment of the sector.

 

TLP:AMBER Definition: Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. For more information on the Traffic Light Protocol, see https://www.cisa.gov/tlp.

Helpful
Links...

NRWA Buyer’s Guide

The National Rural Water Association Buyers' Guide is the fastest way to locate the products and services water engineers need.

VISIT SITE

WEBINARS

Monthly webinars featuring challenges and solutions for small drinking water and wastewater systems.

LEARN MORE

IRIS

Iris provides members with a customizable, web-based solution to broadcast messages simultaneously to mutiple communication devices.

LEARN MORE