Federal Agencies Advise Water and Wastewater Facilities About Hacker Attacks and Phishing Attempts


In early October 2021, the Federal Bureau of Investigation (FBI), the Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) put out a statement warning water and wastewater treatment facilities of hacker attacks. The statement urged these facilities to take extra steps to protect themselves from cyberattacks infecting Information Technology (IT) and Operational Technology (OT) networks. One of the main threats highlighted by the federal agencies' is phishing emails. Phishing emails can masquerade as a typical email but generally include links or attachments that contain malware. Phishing emails sometimes look like they are sent from contacts on a person's email list. If these emails are taken seriously and links or attachments are opened, ransomware attacks can contribute to security issues for WTPs/WWTPs. Threatening the security of Water and Wastewater Treatment Plants (WTPs and WWTPs) is a concern that affects communities by tampering with clean, potable water supplies. As reported in a previous blog post, in February of 2021, a Water Treatment Plant in Florida made international news when a hacker tried to pump a deadly amount of sodium hydroxide into the plant's water supply. Additional cybersecurity threats this past year have targeted water and wastewater facilities in Maine, Nevada, and California.


The Full Advisory can be read here.

Citation:


Miller, Maggie. “Agencies Warn of Cyber Threats to Water, Wastewater Systems.” TheHill, The Hill, 14 Oct. 2021, https://thehill.com/policy/cybersecurity/576835-agencies-warn-of-cyber-threats-to-water-wastewater-systems?rl=1.


Ongoing Cyber Threats to U.S. Water and Wastewater Systems. https://us-cert.cisa.gov/sites/default/files/publications/AA21-287A-Ongoing_Cyber_Threats_to_U.S._Water_and_Wastewater_Systems.pdf.


“Weak Cybersecurity Can Threaten Water Infrastructure.” KEGI, KEGI, 12 May 2021, https://www.kegi.net/post/weak-cybersecurity.