The Drinking Water Program is focused on providing Public Water System’s with the information and resources to protect themselves against the mounting cyber security threat.
3/2/23 Joint Cybersecurity Advisory: #StopRansomware: RoyalRansomware Notice
8/11/22 Homeland Security Network Defender Bulletin: Northeast Wastewater Facility Targeted with Ransomware
Upcoming Training Opportunity: Cybersecurity for the Vermont Water Sector Virtual Workshop on September 8, 2022
6/23/2022 Joint Cybersecurity Advisory: Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems
Save the Date: Chemical Security Summit 2022 August 23-25 See link for more information and registration here
Alert from 4/6/22: Targeted Email Account Compromise Phishing Incidents Continue Against U.S. Water and Wastewater Utilities
The EPA and WaterISAC are aware that multiple water utilities have reported targeted phishing emails being sent to their employees during the past week. The emails, characterized as Business Email Compromise (BEC), have attempted to impersonate current employees or government officials. As they often do, these impersonation attempts have utilized official logos to give the phishing emails the appearance of legitimacy. These reports, along with responses to WaterISAC’s Quarterly Incident Surveys corroborate that water and wastewater systems of all sizes continue being victimized by impersonation-style attacks such as Business Email Compromise, and specifically Vendor Email Compromise (VEC).
Due to similar activity over the past year, the EPA and WaterISAC published a joint advisory (EPA and WaterISAC Joint Advisory Regarding Continued Email Account Compromise Incidents Against U.S. Water and Wastewater Systems) in November to advise water and wastewater entities of the prevalence of this type of threat. In light of this ongoing threat activity, The EPA and WaterISAC once again remind all members and partners of the sector to review FBI PIN 20210317-001: Business Email Compromise Actors Targeting State, Local, Tribal, and Territorial Governments, Straining Resources and adopt the recommended mitigations. End-user awareness and education of BEC, VEC, other impersonation-based scams and implementing technical controls such as multifactor authentication (MFA) are some of the most important steps sector organizations can take to curb this threat.
Additional PINs and Resources
- FBI PIN: Cyber Criminals Exploit Email Rule Vulnerability to Increase Likelihood of Successful Business Email Compromise (TLP:WHITE)
- WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities
- AWWA Resources on Cybersecurity
- Security Awareness Reminder – Business Email Compromise, a Primer on Impersonation Attacks
- Cybersecurity Awareness/Hygiene – Proofpoint BEC Taxonomy Series
- Security Awareness – Managing the Human Side of Cyber
- EPA Cybersecurity Best Practices for the Water Sector
- Resilient Power Best Practices for Critical Facilities and Sites
WaterISAC encourages any members who have experienced malicious or suspicious activity to email firstname.lastname@example.org, call 866-H2O-ISAC, or use the online incident reporting form.
Tips for Improving Your Cybersecurity
Computer and Device Maintenance:
• Keep All Software Current: Up-to-date software provides the best defense against viruses, malware, and other online threats. Prioritize updates that are known to be exploited vulnerabilities.
• Automate Software Updates: Turn on automatic software updates if that's an available option. Replace unsupported operating systems, applications, and hardware. Test and deploy patches quickly.
• Protect all Devices that Connect to the internet: Be aware of any and all devices like smart phones, gaming systems, and other web devices thare connected to your computer (s). These devices also require protection from viruses and malware.
• Secure your Wi-Fi Network: Use the strongest encryption available, change the default administrator password, disable Wi-Fi protected setup (WPS) and Universal Plug and Play (UPnP), reduce wireless strength and turn it off when not in use, upgrade firmware, disable remote management and monitor for unknown device connections.
• Plug & Scan: External devices, such as a USB, can be infected by viruses and malware. Scan these devices with security software.
• Ports and Protocols: Disable all ports and protocols not essential for business purposes.
• Cloud Services: If your organization is using cloud services, review and implement strong controls as outlined by the Cybersecurity and Infrastructure Security Agency (CISA) in the following guidance https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-013a
• Backup Data: Employ a backup protocol that automatically and continuously backs up critical data and system configurations. Consider a backup system that is not physically connected to your network.
Password and Access:
• Two-Factor Authentication: Ensure that all remote access to your organization's network and any privileged or administrative access requires a Two-Factor Authentication process. Two-Factor Authentication is offered by account providers as an additional means of protection.
• Use Complex Passwords: Use a combination of capital and lowercase letters with numbers and symbols to create a more secure password.
• Unique Password: Use a unique password for every account.
• Secure Your Online Presence: Set privacy and security settings on websites for information sharing.
• Beware of Suspicious Links: Be cautious of suspicious links in emails, tweets, posts, and in online advertising. If a link looks suspicious, even if you know the source, delete the link.
• Wi-Fi Hotspots: Increase the security settings on your device to limit who can access your machine and limit the type of business you conduct.
• Don't Show Them the Money: Be cautious when banking and shopping. Look for web addresses with the https:// ensuring the "s" is there which means the site takes extra measures to help secure your information.
• Use Caution: Be cautious when communications require immediate action, are too good to be true, or ask for personal information.
Staying Up to Date:
• Stay Current: Check CISA's website for the latest information, and share with friends, family and colleagues. https://www.cisa.gov/shields-up
• Known to be exploited vulnerabilities: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Help the Authorities Fight Cybercrime: Report thef of funds, identities, and all cybercrimes to CISA https://www.cisa.gov/cybersecurity the Internet Crime Complaint Center and The Federal Trade Commission's Identity Theft.gov .
• Assess Your Vulnerabilities: Take the time to thoroughly evaluate and standardize your system. https://www.cisa.gov/aes
Cybersecurity Resource Hub
Cybersecurity Resilience Review
Cyber Hygiene Services
Factsheet on Cyber Risk Summary for Water and Wastewater Systems Sector
Cyber safety video series (to use for training)
Incident Action Checklist for Cybersecurity
EPA Water Sector Cybersecurity Sector Brief for States
AWIA and Cybersecurity: EPA Guidance for Small Community Water Systems (CWS) on Risk Resilience Assessments (RRAs) under AWIA Cybersecurity is only a small part of this resource, but this is one simpler tool that small systems can use to comply overall with America’s Water Infrastructure Act (AWIA), section 2013
EPA free “Cybersecurity Assessment and Technical Assistance to Water and Wastewater Utilities” program
WaterISAC 15 Cybersecurity Fundamentals for Water and Wastewater Utilities
AWWA Water Sector Cybersecurity Risk Management Guidance (2019)
AWWA Cybersecurity Risk & Responsibility in the Water Sector