FBI, CISA warn water facility operators of ongoing malicious cyber activity
Ransomware attackers are continuing to target water and wastewater facilities, U.S. intelligence and law enforcement officials warned in a bulletin based on incidents in five states.
A cybersecurity advisory published Thursday from the FBI, the Cybersecurity Infrastructure and Security Agency, the Environmental Protection Agency and the National Security Agency highlighted incidents in five states between March of 2019 and August 2021, where systems were targeted by either ransomware attacks or other hacks. In one case, a former employee of a Kansas-based facility tried to “threaten drinking water safety by using his user credentials…to remotely access a facility computer,” according to the alert.
Other incidents occurred in California, Maine, Nevada and New Jersey.
The notice pointed to “ongoing malicious cyber activity — both by known and unknown actors,” targeting information technology and operational technology networks, systems, and devices.
“Recent ransomware incidents and ongoing threats demonstrate why all critical infrastructure owners and operators should make cybersecurity a top priority,” said Eric Goldstein, the executive assistant director for cybersecurity at CISA.
The list did not include a February 2021 attack at a water treatment facility in Oldsmar, Fla., where an intruder broke into the facility’s computer system and temporarily changed the plant’s sodium hydroxide level. A plant worker reversed the change before the levels changed to an unsafe level, officials said.
The attack was one of two that day, according to industrial security firm Dragos, which reported that the facility’s network suffered an intrusion as part of a botnet targeting “dozens” of other water companies.
The notice Thursday reported that water facilities could be vulnerable to common tactics such as spearphishing, exploitation of outdated or unsupported operating systems and softare, and the exploitation of control system devices with vulnerable firmware versions. A February CISA notice cited poor password security and an outdated operating system as part of the Oldsmar sodium hydroxide situation.