The Colorado Information Analysis Center (CIAC) recently shared intelligence with WaterISAC regarding password attack activity targeting the SCADA networks of a water sector entity. WaterISAC is sharing this TLP:CLEAR report (attached below) for member awareness of targeted attacks in the water sector.

A water sector entity in Colorado has reported suspicious activity where their SCADA networks were targeted by cyber attackers. A number of accounts within their SCADA network became temporarily inaccessible due to a vulnerability that allowed access to a VPN portal login page, allowing attackers to conduct password attacks against the accounts on the SCADA network.

WaterISAC urges members to monitor their firewall and EDR appliances if applicable for suspicious activity and to follow the recommendations included in the report.

Recommendations From the Report:

• Assess the necessity of maintaining web-accessible VPN portals exposed to the internet.
• Consider disabling non-essential access points to reduce the risk of password-based attacks.
• Aim to minimize access points to sensitive infrastructure.
• Ensure strict controls are implemented for any remaining access points to critical systems.

Report Suspicious Activity

WaterISAC encourages all utilities that have experienced malicious or suspicious activity to email [email protected], call 866-H2O-ISAC, or use the confidential online incident reporting form. Confidentially reporting to WaterISAC helps utilities and stakeholders maintain awareness of the threat environment of the sector. Additionally, to report incidents or suspicious activity to the FBI, contact your local field office at www.fbi.gov/contact-us/field-offices or the 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or [email protected]. You can also report activity to CISA, via its online tools, at (888)282-0870, or [email protected].

Access the full report below