Update

The Missouri Department of Natural Resources set up a dedicated email address for reporting cybersecurity incidents at water and wastewater plants. Send relative details to wpp-cybersecurity@dnr.mo.gov from a non-compromised email account as soon as possible after an incident is discovered.

Original Alert

The USEPA and WaterISAC are alerting the water and wastewater systems sector to new information regarding a potential cyber threat to United States critical infrastructure. All water and wastewater system owners and operators should read this alert.

Due to current events between Russia and Ukraine, WaterISAC and the USEPA strongly encourage water and wastewater system owners and operators to maintain a heightened awareness for possible intrusions into their operational networks and to prepare to maintain critical operations if process control networks are disabled.

What General Actions are Recommended for Water and Wastewater Systems?

WaterISAC recommends the following key actions for water and wastewater systems:

  1. Require Strong, Unique Passwords. Malicious cyber actors repeatedly use stolen or easily guessed credentials. Consider forcing a global reset of all passwords in your environment before staff begin taking time off.
  2. Implement Multi-Factor Authentication. After changing passwords, make implementing multi-factor authentication (MFA) a priority. MFA significantly reduces your risk from almost all opportunistic attempts to gain entry into your systems.
  3. Address known exploited vulnerabilities. This could include patching and/or additional controls such as network segmentation to protect vulnerable devices that cannot effectively be patched. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a catalog of Known Exploited Vulnerabilities that utilities are encouraged to review to identify vulnerable systems. Also, prioritize network segmentation to prevent unauthorized access to your operational technology (OT) systems from the internet and to reduce connectivity between OT and vulnerable information technology (IT) systems.
  4. Surge Support. Identify surge support for responding to an incident. Malicious cyber actors are known to target organizations on weekends and holidays when there are gaps in organizational cybersecurity.
  5. Network/Systems Awareness. Be alert for unusual behavior in OT and IT systems, such as unexpected reboots of digital controllers and other OT hardware and software, and delays or disruptions in communication with field equipment or other OT devices. Enhance logging to investigate anomalous activity – including collecting more logs and increasing storage capacity and retention time.
  6. Backup Data. Implement and test data backup procedures on both IT and OT networks and ensure copies of backups are isolated (stored offline) from the network.
  7. Incident Response Plans. Create, maintain, and exercise a cyber-incident response and continuity of operations plans.
  8. Manual Operations. Have a resilience plan that addresses how to operate your system if you lose access to or control of critical OT or IT systems – including the ability to sustain manual operations for extended periods.

For more information about cybersecurity for public water and wastewater systems visit:

https://www.epa.gov/waterriskassessment/epa-cybersecurity-best-practices-water-sector

https://www.waterisac.org/