BACKGROUND:
The FBI, CISA, EPA and NSA announced yesterday a cybersecurity advisory that details ongoing cyber threats to U.S. water and wastewater systems. The advisory highlights ongoing malicious cyber activity targeting the IT and OT networks, systems, and devices of U.S. water and wastewater sector facilities, threatening the ability to provide clean, potable water to, and effectively manage the wastewater of, their communities.
<p>It is heartening to see the FBI, CISA, EPA, and the NSA working together with the Water ISAC and Dragos to put this alert together. Adversaries are looking to use spearphishing (targeted phishing) and exploits against unpatched software or outdated firmware to execute these attacks. From a people, processes, and technology viewpoint, user training should have been the number one recommendation so as to recognize phishing attempts, thwart ransomware, or respond rapidly if it takes hold, rather than the last bullet in the ‘additional mitigations’ strategy and buried near the end. I had not heard of the Department of State’s Rewards for Justice (RFJ) program; reporting foreign government malicious activity against U.S. critical infrastructure could earn up to $10 million. That sounds so much better than recent legislation to penalize victims of ransomware for not reporting in a timely manner or when payouts are made.</p>