Federal government partners have just released a TLP:WHITE* Joint Cybersecurity Advisory on the recent compromise of a U.S. water treatment facility. This product provides a summary of the incident informed by personnel who assisted with the onsite response, threat overviews based on what was observed, and series of recommendations organizations are encouraged to consider to protect themselves against similar activity.
In addition to being posted as a PDF below, the advisory is also available on the Cybersecurity and Infrastructure Security Agency (CISA) website here.
Threat Overviews for Desktop Sharing Software and Windows 7 End of Life
The advisory states cyber actors likely accessed the system by exploiting cybersecurity weaknesses, such as an outdated operating system (Windows 7), and that it is possible a desktop sharing software (TeamViewer) may have been used to gain access to the system. Based on these findings and observations from other activity, the advisory includes threat overviews for desktop sharing software and Windows 7 end of life. These threat overviews discuss how cyber actors have been observed exploiting these systems for malicious activities.
Recommendations, including for Water and Wastewater Systems
The advisory includes a specific recommendations category for water and wastewater systems, which emphasize the importance of installing independent cyber-phyiscal safety systems. As the product notes, these are systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor. It observes these types of controls can be of particular benefit to smaller systems, such as the one involved in the recent incident, which may have limited cybersecurity capabilities. The product also includes lists of general recommendations and TeamViewer software recommendations.
* Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. Read more about the TLP, or Traffic Light Protocol, at CISA.