Hacktivists pose a recurring threat to water utilities, CISA warns

Hacktivists pose a recurring threat to water utilities, CISA warns

In a bid to bolster the security of Industrial Control Systems (ICS) and Operational Technology (OT) environments, particularly in the water sector, the Cybersecurity and Infrastructure Security Agency (CISA) has released a series of strategies and recommendations. These advisories underscore the importance of vulnerability management, continuous monitoring, and prompt mitigation in the face of escalating cyber threats.

### Core Strategies and Recommendations from CISA:

CISA emphasizes the importance of regularly reviewing ICS advisories, which identify new vulnerabilities and exploits across ICS products from prominent vendors such as Siemens, Delta Electronics, and Advantech. Stakeholders in the water sector are encouraged to stay informed about current threats and apply suggested mitigations promptly.

Vulnerable systems, such as those in Siemens systems like SINEC NMS, TIA Portal, and SIPROTEC 5, require patches or updates to address specific flaws highlighted by CISA. Automated or manual updates help reduce exposure to known exploits that could allow unauthorized access or system manipulation.

CISA also recommends segregating ICS and OT networks from corporate IT and internet-facing systems to limit attack surface and lateral movement within critical infrastructure. Organizations should deploy monitoring tools to detect anomalous activity within ICS environments in real time, facilitating rapid incident response and threat hunting.

Collaboration with equipment vendors upon vulnerability disclosures is crucial to ensure mitigations are understood and deployed correctly. Preparing incident response plans that consider ICS-specific threat scenarios is also encouraged.

### Recommendations Specific to the Water Sector:

While the recent advisories cover multiple critical infrastructure sectors, the water sector shares similar ICS and OT technologies. Critical water infrastructure operators are urged to incorporate CISA’s ICS vulnerability advisories into their cybersecurity programs.

The security of control system components, such as Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA) systems, and remote terminal units that manage water treatment and distribution, should be prioritized based on identified product vulnerabilities from vendors like Siemens and Delta Electronics.

Adopting CISA’s broader ICS security frameworks and resources, such as the Industrial Control Systems Cybersecurity Emergency Response Team (ICS-CERT) recommendations, which emphasize asset inventory, risk assessments, secure configurations, user training, and multi-factor authentication, is also advisable.

### The Ongoing Threat Landscape:

CISA warns that exposed and vulnerable industrial control systems and operational technology environments can be hacked using unsophisticated methods like brute-force attacks and default passwords. Over the past year, CISA and other federal authorities have issued multiple warnings about state-linked threat activity, including attacks against water and wastewater facilities.

The Biden administration has prioritized cybersecurity in the water sector for the last couple of years, with recent incidents like the one in Arkansas City, Kansas, highlighting the need for improved defences. Despite the attack, the water supply remains safe, and there has been no disruption to service.

In response, authorities are providing free cybersecurity awareness training to local utilities, and investigations into potential grant funding to help cash-strapped providers boost their resiliency are underway. The White House and EPA held a virtual conference with state officials in March to discuss mitigation against cyber threats.

### Looking Ahead:

As the threat landscape continues to evolve, it is crucial for the water sector to integrate CISA’s strategies into operational practices. Examples of non-compliance, such as failing to cut off accounts for former workers and allowing multiple employees to share the same login, underscore the importance of vigilance and adherence to best practices.

Keith Lunden, manager of the cyber physical team at Mandiant, stated that they expect these attacks to continue for the foreseeable future given the lack of dedicated cybersecurity personnel for many small- and mid-sized organizations operating OT. As such, it is essential for the water sector to remain vigilant and proactive in its cybersecurity efforts.

1. The Cybersecurity and Infrastructure Security Agency (CISA) suggests regularly reviewing ICS advisories that identify new vulnerabilities in Siemens, Delta Electronics, and Advantech products, and applying suggested mitigations promptly.
2. Vulnerable systems in Siemens products like SINEC NMS, TIA Portal, and SIPROTEC 5 require patches or updates to address specific flaws highlighted by CISA.
3. CISA recommends segregating ICS and OT networks from corporate IT and internet-facing systems, deploying monitoring tools for real-time detection of anomalous activity, and collaboration with equipment vendors upon vulnerability disclosures.
4. Critical water infrastructure operators are urged to prioritize securing control system components like Programmable Logic Controllers (PLCs), SCADA systems, and remote terminal units, and to adopt CISA's broader ICS security frameworks and resources.
5. Exposed and vulnerable industrial control systems can be hacked using simple methods, and there has been a rise in state-linked threat activity against water and wastewater facilities in the past year.
6. To strengthen cybersecurity defenses, authorities are providing free cybersecurity awareness training to local utilities and exploring potential grant funding for cash-strapped providers, and the water sector is being advised to remain vigilant and proactive in its cybersecurity efforts.

Read also: