CybersecurityCISA Issues Advisory on ICS Attacks Targeting Water and Wastewater Systems
CISA releases cybersecurity advisory warning of increased targeting of water and wastewater systems (WWS) sector by cyber threat actors exploiting operational technology vulnerabilities. The alert follows multiple incidents compromising ICS/SCADA systems controlling water treatment and distribution. CISA recommends immediate mitigation measures for critical infrastructure operators including network segmentation, access controls, and monitoring.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on April 11, 2023, alerting water and wastewater systems (WWS) operators to heightened cyber threats targeting operational technology (OT) and industrial control systems (ICS). The advisory follows reported incidents where threat actors gained access to SCADA systems controlling water treatment chemical dosing, distribution network pumps, and storage tank levels. CISA identified vulnerabilities in internet-exposed human-machine interfaces (HMIs), weak authentication, and inadequate network segmentation as primary attack vectors.
Threat Landscape and Attack Vectors
Threat actors increasingly target WWS facilities using reconnaissance tools to identify internet-exposed ICS devices through Shodan, Censys, and similar search engines. Attackers exploit default credentials on HMIs and engineering workstations, unpatched vulnerabilities in SCADA software, and VNC/RDP services with weak authentication. Successful compromises enable manipulation of chemical dosing systems, pressure levels, and valve controls affecting water quality and availability.
The advisory documented attack patterns including initial access through phishing campaigns targeting operators, exploitation of internet-facing VPN gateways, and supply chain compromises through managed service providers. Threat actors conduct extensive reconnaissance identifying PLCs, RTUs, and SCADA servers before attempting lateral movement. The prolonged dwell time—averaging 45+ days in OT networks—allows attackers to map control systems and identify critical operational components before executing attacks.
Notable WWS Cybersecurity Incidents
Recent incidents underscore sector vulnerabilities. In February 2021, an attacker remotely accessed a Florida water treatment facility's SCADA system, briefly increasing sodium hydroxide levels 100-fold before operator intervention prevented harm. In 2022, threat actors compromised California and Pennsylvania water utilities' operational networks, though operators detected intrusions before systems manipulation. The incidents demonstrate that successful ICS compromises can threaten public health and safety beyond typical data breaches.
International incidents compound concerns. Iranian-aligned actors targeted Israeli water infrastructure in 2020, attempting to manipulate chlorine levels. The Colonial Pipeline ransomware attack (2021), while targeting IT networks, demonstrated cascading impacts when OT operations shut down preemptively. Threat groups including Volt Typhoon and APT groups focus on pre-positioning in U.S. critical infrastructure for potential future disruption operations.
CISA Recommended Mitigations
CISA mandates immediate implementation of network segmentation isolating OT networks from IT and internet connectivity. Organizations should deploy firewalls with explicit deny-all rules between network zones, require VPNs with multi-factor authentication for remote access, and eliminate internet-exposed ICS devices. Critical systems including HMIs and engineering workstations should not have direct internet connectivity under any circumstances.
Authentication requirements include disabling default credentials, implementing unique strong passwords per device, enforcing multi-factor authentication for all remote access, and using separate credentials for OT and IT systems. Organizations should inventory all ICS devices, document network architecture, identify single points of failure, and establish compensating controls for legacy systems that cannot be patched or upgraded.
Detection and Monitoring Capabilities
WWS operators should deploy continuous monitoring solutions detecting anomalous OT network traffic, unauthorized configuration changes, and suspicious access patterns. CISA recommends implementing intrusion detection systems (IDS) with OT-specific signatures, establishing baselines for normal operational patterns, and alerting on deviations. Network monitoring should identify reconnaissance attempts including port scanning, protocol-specific probing, and credential brute-forcing.
Logging requirements include collecting and retaining logs from HMIs, PLCs, engineering workstations, and network devices. Organizations should implement Security Information and Event Management (SIEM) platforms correlating IT and OT security events. Critical alerts include failed authentication attempts, configuration modifications outside maintenance windows, communication with unexpected external IP addresses, and process value changes inconsistent with operational commands.
Incident Response Planning
CISA requires WWS facilities develop ICS-specific incident response plans addressing OT network compromises, process manipulations, and safety system failures. Plans must include procedures for isolating compromised systems without disrupting critical water treatment operations, manual override procedures for automated systems, and communication protocols with regulatory authorities and customers.
Organizations should conduct tabletop exercises simulating ICS compromise scenarios, practice transitioning to manual operations, and validate backup systems functionality. Response plans must coordinate between IT security teams, OT engineers, safety officers, and executive leadership. Critical decisions—such as shutting down compromised treatment processes—require predefined authorization chains and safety assessments.
Regulatory and Compliance Context
The EPA released cybersecurity guidance for WWS facilities in 2021, recommending risk assessments, incident response planning, and employee training. While most cybersecurity practices remain voluntary for water utilities, some states mandate incident reporting and minimum security controls. The American Water Works Association (AWWA) published J100 standard providing risk-based guidance for protecting water and wastewater systems against cyber threats.
The Infrastructure Investment and Jobs Act (2021) allocated $1 billion for water infrastructure including cybersecurity improvements. State revolving funds increasingly condition loans on demonstrated cybersecurity maturity. Federal agencies debate whether to impose mandatory cybersecurity requirements on water utilities similar to Transportation Security Administration's pipeline security directives. The sector anticipates regulatory evolution toward mandatory baseline security controls.
Technical Modernization Challenges
Many WWS facilities operate legacy SCADA systems designed pre-internet era without security considerations. Budget constraints limit modernization investments, with small and rural utilities disproportionately vulnerable due to limited IT/OT security expertise and funding. Aging infrastructure requires extended operational lifespans for ICS components, creating patching and upgrade challenges.
Organizations face competing priorities between operational reliability and security improvements. Patching OT systems risks operational disruptions and requires extensive testing in non-production environments many facilities lack. Air-gapping OT networks conflicts with operational efficiency and remote monitoring capabilities. The technical debt accumulated over decades requires long-term modernization roadmaps balancing security, reliability, and cost constraints.
Strategic Implications for CTIOs
CTIOs responsible for water utilities or critical infrastructure must prioritize OT cybersecurity as public safety imperative. Technical leaders should conduct comprehensive ICS asset inventories, perform risk assessments identifying critical control systems, and implement network segmentation projects immediately. Organizations should establish OT security programs separate from IT security, recognizing distinct operational requirements, risk profiles, and technologies.
Investment priorities include hiring OT security expertise, deploying continuous monitoring solutions, upgrading internet-exposed systems, and implementing multi-factor authentication. CTIOs should establish partnerships with sector ISACs (Information Sharing and Analysis Centers), participate in threat intelligence sharing, and leverage CISA services including vulnerability scanning and incident response support. The convergence of IT and OT security requires CTIOs develop expertise across both domains while respecting operational priorities of safety, reliability, and regulatory compliance in critical infrastructure environments.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook — Zeph Tech
Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.