CISA Issues Cyber Threat Warnings for Water and Wastewater Plants and Systems

October 20, 2021 by Alessandro Mascellino

The U.S. Cybersecurity Infrastructure and Security Agency (CISA) has recently published new advisory warning companies of ransomware attacks targeting water and wastewater facilities (WWS).

CISA released the new report in collaboration with the National Security Agency (NSA), the Environmental Protection Agency (EPA), and the Federal Bureau of Investigation (FBI). The document mentions five different cyber intrusions targeting these types of facilities between 2019 and 2021 and urges organizations to implement various security measures.


Evolving Threats

According to the new data by CISA, dangers related to malicious actors targeting water and wastewater facilities are varied and increasingly dangerous.

“This activity, which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communitie,” the advisory mentioned.


An industrial facility where cyberattacks are likely to occur. 


The document also noted some tactics commonly adopted by malicious actors trying to compromise IT and OT networks, systems, and devices. These include spear-phishing personnel to deliver malicious payloads and ransomware, exploitation of unsupported or outdated operating systems and software, and exploitation of control system devices with vulnerable firmware versions.

In the document, CISA also clarified how the majority of threats in this industry are commonly associated with inside threats (current or former employees who maintain improperly active credentials) and external ransomware attacks.


Cyberattacks are Becoming Increasingly Popular in the Industrial Sector

The advisory mentions five separate attacks on WWS facilities that took place in the past three years. In March 2019, a former employee based in a Kansas WWS facility reportedly tried and failed to remotely access a facility computer using credentials that hadn't been revoked.

In September 2020, compromised files and potential Makop ransomware were observed at a New Jersey-based WWS facility. In March 2021, an unknown ransomware variant was deployed against a Nevada-based WWS facility.


wastewater plant

A wastewater treatment plant. 


More recently, ZuCaNo ransomware was introduced onto a Maine-based WWS facility's wastewater SCADA computer in July 2021. Additionally, a ghost variant ransomware attack was recorded against a California-based WWS facility in August 2021.


Mitigating Risks

To prevent, detect, and respond to the aforementioned cyber threats, the CISA advisory called for WWS facilities to renew their efforts in using a risk-informed analysis to assess the applicability of various technical and non-technical mitigations.

“To secure WWS facilities—including Department of Defense (DoD) water treatment facilities in the United States and abroad [...] CISA, FBI, EPA, and NSA strongly urge organizations to implement the measures described in the Recommended Mitigations section of this advisory,” the text reads.

The new security suggestions build on the Ransomware Prevention Guidelines CISA released in September 2020 and cover several different scenarios.


The cover of the Ransomware Guide. Image used courtesy of CISA


Particularly, the advisory mentions WWS monitoring for suspicious activities and indicators that may suggest threat actor activity and remote access and network mitigations. In addition, the document also describes the planning and operational mitigations, together with safety systems and additional mitigations.

The advisory comes months after the Biden Administration unveiled a new national plan to secure critical infrastructure control systems. CISA hopes this advisory will help warn companies of the potential threats in large facilities and plants that deal with water and wastewater.