Water Sector Threat Analysis Report

The NJCCIC assesses with high confidence that the water sector in New Jersey and across the globe, will remain an attractive target for a range of cyberattacks designed to disrupt daily operations, steal sensitive data, promote violence toward the community, and encrypt critical operational data.

New Jersey State Health Assessment Data states New Jersey has over 600 community water systems which provide drinking water to approximately 87% of the State's population. The Cybersecurity and Infrastructure Security Agency is  responsible for increasing the cyber resiliency of the country's infrastructure, which includes the Water and Wastewater (WW) Sector.  The services and recommendations offered by CISA are not required and can be enacted voluntarily should the purveyor choose to do so. CISA reports only a fraction of more than the 50,000 of the country's water facilities have taken advantage of CISA's services. Furthermore, after conducting a survey, CISA found that 1 in 10 (WW) plants have recently identified a critical cybersecurity vulnerability.  More than 80 percent of these vulnerabilities included software flaws discovered before 2017, highlighting the lack of cybersecurity expertise in such a critical infrastructure.

Threat actors targeting the WW sector include: State-sponsored actors, cyber criminals and insider threats actors. State sponsored groups often carry out cyberattacks to achieve geopolitical goals by disrupting critical water supplies and stealing sensitive information to launch more sophisticated cyberattacks. WW sector entities are responsible for protecting sensitive personal information, including employee records and customer billing data. This personal information is an attractive target for cybercriminals that are financially motivated and attempt to extort millions in ransomware payments. Insider threats include disgruntled current or former employees who maintain active credentials and use them improperly to cause disruption and damage, resulting in potentially life-threatening consequences.

Russia’s invasion of Ukraine, subsequent imposed Russian sanctions, and military and financial support of the Ukraine has increased concerns of retaliatory cyberattacks that may target key water supplies. In 2018, the U.S. Department of Homeland Security and Federal Bureau of Investigation warned that the Russian government is specifically targeting the WW sector and other critical infrastructure sectors as part of a multistage intrusion campaign. Attacks for financial, political, and terroristic gain are a serious concern. A successful cyber-attack on critical WW sector operations could cause devastating harm to public health, safety and welfare, threaten national security and result in costly recovery and remediation efforts. American Water Works Association states attacks causing contamination, operational malfunction, and service outages could result in illness and casualties, compromise emergency response efforts by firefighters and healthcare workers, and negatively impact transportation systems and food supply. While state-sponsored groups have demonstrated the capability and intent to launch cyberattacks that cause damage to the WW infrastructure, New Jersey’s water sector is more likely to face reconnaissance and intelligence collection activities aimed at exfiltrating data and establishing persistence on high-value networks for potential use in future sabotage operations.

Recent Incidents

The WW Sector entities have suffered a range of attacks such as ransomware attacks, tampering with Industrial Control Systems, manipulating valve and flow operations and chemical treatment formulations, and other efforts to disrupt and potentially destroy operations. Below are the most recent incidents effecting US WW sector facilities.

• In January 2021, an attacker reportedly took control of a California local water treatment facility and deleted computer programs involved in the treatment of drinking water. The cybercriminal hacked into the plant’s systems using the credentials of former employees, which were used to connect to the TeamViewer remote control software.
• In February 2021, the town of Oldsmar, Florida narrowly avoided a health disaster when cyber criminals allegedly took control of the city’s wastewater treatment facility.   The attacker reportedly collected TeamViewer login credentials shared by several employees, and then exploited flaws present within a Windows 7 operating system. This intrusion allowed the cybercriminal to significantly increase the level of sodium hydroxide from 100 parts per million to 11,100 parts per million, making the drinking water extremely toxic. Luckily, facility staff were able to quickly get the situation under control and save 15,000 Oldsmar residents from being poisoned.
• In August 2021, CISA reported malicious cyber actors used Ghost variant ransomware against a California-based WW facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
• In July 2021, CISA reported cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.
• In March 2021, CISA reported cyber actors used an unknown ransomware variant against a Nevada-based WW facility. The ransomware affected the victim’s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).
• In September 2020, CISA reported personnel at a New Jersey-based WW facility discovered potential Makop ransomware had compromised files within their system.
• In March 2019, a former employee at a Kansas-based WW facility unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer.

Attack Types

Spearphishing: Spearphishing, conducted with emails containing suspicious links to obtain unauthorized access, is one of the most common attacks. After accessing an information system, the hacker may install keyloggers to capture sensitive information such as login credentials or infect the targets’ device with malware. Spearphishers carefully research their targets, so the attack appears to be from trusted senders in the targets’ life. A spear phishing email uses social engineering techniques to urge the victim to click on a malicious link or attachment. Once the victim completes the intended action, the attacker can steal the credentials of a targeted legitimate user and enter a network undetected.

Distributed Denial-of-Service (DDOS): Distributed denial-of-service (DDOS) attacks are criminal acts in which information systems are compromised by flooding the network with excessive traffic levels and denying access to its sites.  Bad actors may also take steps to dismantle a server or otherwise prevent users from accessing a service, website or other information.

Port Scanning: This is typically one of the first steps attackers may take when they are attempting to gain reconnaissance information on a potential target.  The goal is to discover the status of services, define the optimum strategy to access databases, and identify which users monitor services. At the highest level, the attacker uses IP fragmentation to confuse the firewall, resulting in the packet filters being bypassed. Another technique is based on interrogating an open User Data-gram Protocol port to scan IP addresses by testing several protocols and other ports. TCP wrappers are preferred in order to mitigate such attacks, empowering the network manager to allow or block server access depending on the IP address.

Operation Modification: Modifications to critical information such as manipulating valve and flow operations, chemical treatment formulations, and other efforts that disrupt and potentially destroy operations can result in illnesses and devastating casualties.

Social Engineering: Social engineering attacks generally depend on exploiting human curiosity for a successful attack. It often starts with a phishing email, social media contact, or a call that seems to come from a trusted source. It generally plays on the good nature of people by creating a sense of urgency or fear. The goal of the attacker is to get the user to provide sensitive information or click on a malicious link to steal your credentials or install malware to conduct more sophisticated cyberattacks.

Credentials compromise: Attackers can obtain user credentials (username and password) by implementing several methods including:

• Brute-force attacks where attackers use automation to try numerous combinations of letters, symbols, and numbers to guess user credentials
• Dictionary attacks where attackers attempt to gain access to protected systems by using combinations from pre-published materials of common passwords.
• Various types of malwares such as worms, trojans, etc. 
• Other social engineering tactics to trick the user into providing login credentials directly. 

Malware/Ransomware/Trojans: These classes of attacks generally aim to damage an information system or server by targeting vulnerabilities within the network. However, trojans can be used to infiltrate a system and may contain a payload with vast functionality including, credential exploitation, reconnaissance, or hindering operations.  Furthermore, the use of external devices and the absence of anti-virus software protection increases the attack surface, providing the attacker with additional avenues of exploitation to be pursued.

Espionage and Data Theft: Data theft and espionage can be the starting point of a larger destructive attack. Attackers often perform reconnaissance and trial attacks on systems before attempting larger, subsequent operations. Not only is obtaining sensitive data beneficial to the attacker, but data leaks may also cause substantial damage to the economy.

Recommendations

The NJCCIC advises WW sector stakeholders to take proactive steps to increase their organizations’ overall cyber risk management and preparedness. Cybersecurity presents major challenges as it is still a relatively new dynamic in an everchanging environment.  Awareness is a vital step to contend with existing vulnerabilities and threats. To ensure a safe cyber environment, all staff members, including executives, should be properly trained and aware of the latest threats. Staff members and management should work together to ensure cybersecurity within the water sector. Cybersecurity is not solely an IT department responsibility; everyone is responsible and should be held accountable if they pose a risk. It is imperative that C-Level and Senior management make it a point to convey the extreme importance of cybersecurity principles to the entire organization. 

The following resources can assist the sector in becoming more resilient to cyberattacks.

• US Department of Homeland Security Enhanced Cybersecurity Services
• National Institute of Standards and Technology Cybersecurity Framework
• American Water Works Association: Cybersecurity Guidance and Assessment Tool
• United States Environmental Protection Agency.   This site provides a list of best practices and resources such as a Cybersecurity Incident Action Checklist for guidance on preparation, response, and recovery of a cyber incident, and guidance on how to Develop and Conduct a Water Resilience Tabletop Exercise (TTX) with Water Utilities.
• CISA has also released a Cyber Risks & Resources for the Water and Wastewater Systems Sector infographics that details both information technology and operational technology risks the WW sector faces and provides select resources.
• Critical ICS Cybersecurity Performance Goals and Objectives, released by CISA, intends to help establish a common set of fundamental cybersecurity practices for critical infrastructure.
• The Water Information Sharing and Analysis Center (WaterISAC)  is the most comprehensive and single point source for data, facts, case studies, and analysis on water security and threats from intentional contamination, terrorism, and cybercrime. Participating in Information Sharing and Collaboration Communities is vital to stay up to date with cyberattack types and trends.
• Water sector industry stakeholders are encouraged become members of WaterISAC as it provides an opportunity to access water cybersecurity alerts, advisories, webinars, a thorough library of physical and cyber threat information, guidance on risk management, mitigation, resilience, and contaminant databases.

At minimum, the WW sector, including interconnected organizations, should implement the following for their OT/IT environments:

• Tamper-resistant controls on field devices: Field devices must implement hardware security controls to prevent physical tampering.
• Trusted procurement procedures: Commercial off-the-shelf hardware and software IT products that are ready-made and available for purchase by the general public must follow strict procurement procedures that only allow installing certified devices that follow strict security standards.
• Patching and updating: Support staff must install critical updates as soon as they are available and have been properly vetted, both for operating systems and ICS software. Install and regularly update anti-virus and anti-malware software on all hosts. Disable unused remote access/RDP ports and monitor remote access/RDP logs.
• Encryption: Devices must implement end-to-end encryption and include embedded security in their processes. In some cases, certificate pinning (SSL pinning) must be required to avoid spoofed devices. This includes protection from side channel attacks that can compromise encryption keys. 
• Authentication and access control procedures: Facilities should implement strict authentication and authorization procedures for their employees and for all software entities. Develop access control measures to prevent unauthorized access to critical cyber systems.
• Penetration testing and internal audit: All facilities must implement rigorous vulnerability assessment and penetration testing audits on a regular basis to ensure continuous analysis of operational systems.
• Employee training and awareness: All employees should have some level of cybersecurity training.  Those working on critical systems must have proper training or certifications to support the elevated threat level of their positions. Human error and phishing attacks are most effectively avoided through proper employee awareness rather than technical means.
• Network segmentation: All facilities must deploy proper network segmentation with DMZ configured and network isolation to protect critical systems. Whenever possible, ICS should not share the same network with internet-accessible devices.
• Use of different technologies: Implemented ICS should use devices and systems from different vendors to reduce the number of compromised assets per vulnerability. Although this measure introduces management complexity, it is a vital control to increase resiliency of critical systems.
• Segregation of duties and minimum privileges: Staff must have discrete credentials and relevant privileges based on their job description and needs. The Principle of Least Privilege must be implemented on all accounts and require administrator credentials to install software.
• Catalog and reduce system dependencies: Critical systems must identify and minimize dependencies on other systems and services, such as third-party processes.
• Minimize unified closed loop: Although closed-loop systems facilitate monitoring and control, and even though manual control exacerbates workload, operators should minimize the use of automatic controls over critical machinery.  At the very least, all operations must be monitored and those being controlled with closed-loop systems should be fragmented to only control individual procedures.
• Create backups: Data should be backed up regularly as well as stored in an air gapped, password-protected manner. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
• Recovery plan: Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data.  Ensure that data is not stored on the same system in which it is backing up.  Ideally, the backup should be stored in a server that is physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud) from the production system. Establish, test, and update incident response (IR) plans and continuity of operations plans (COOPs).  These plans should include processes and procedures needed to reduce downtime should an incident occur as well as steps to take in order to return operations to normal.
• Ensure password security: Use multi-factor authentication where possible. Use strong passwords and regularly change passwords to network systems and accounts.  Implement concepts like password timeframes and complexities as well. Avoid reusing passwords for multiple accounts.
• Use secure networks only: Employees should remember to only use secure networks and avoid public Wi-Fi networks should they be working remotely. Consider installing and using a virtual private network.
• Email security: Consider adding an email banner to messages originating outside your organization and disabling hyperlinks in received emails.