Troubled Waters: EPA Announces Increase in Cyber Enforcement, Top Defensive Tips

Water and wastewater systems across the U.S. are increasingly being targeted by cyberattacks. Russia-linked hacktivists were responsible for a January 2024 cyberattack against a rural Texas town’s water system, and an Iran-linked group breached multiple U.S. water systems in late 2023. Adversaries perpetrating these attacks are attempting to manipulate the operational technology (OT) in water and wastewater facilities in order to disrupt the treatment, distribution, and storage of water; damage pumps and valves; and alter chemicals to hazardous levels.

In response, the U.S. Environmental Protection Agency (EPA) announced in late May 2024 that it would be increasing inspections and enforcement actions to protect the nation’s drinking water.

According to the EPA, recent inspections have revealed that over 70% of water and wastewater systems don’t fully comply with the Safe Drinking Water Act. Many of these systems have critical vulnerabilities, such as default passwords on OT devices and shared credentials for all employees. The EPA plans to remedy this with increased inspections and by taking civil and criminal enforcement actions, where appropriate.

Top Cyber Actions to Protect Water Systems

The EPA, Cybersecurity and Infrastructure Security Agency (CISA), and FBI issued a joint fact sheet describing what operators of water systems can do to defend more effectively against the increasing wave of cyberattacks targeting them. Recommended actions include process improvements as well as technical suggestions. The fact sheet also contains links to additional free services, resources, and tools.

Assessments and training are among the top defensive actions water systems operators can take. The agencies recommend conducting regular cybersecurity assessments to understand vulnerabilities, administering cybersecurity awareness training at least once a year, and regularly practicing cybersecurity incident response and recovery plans. But assessments and training aren’t foolproof. Education can reduce the likelihood of an error, but it only takes one mistake for your network to be compromised. That’s why preventative measures are just as important.

The agencies’ top recommendation is to reduce the exposure of OT devices, such as programmable logic controllers (PLCs) and remote terminal units (RTUs), to the public facing internet. These devices are often adversaries’ primary targets because they frequently cannot be managed with an endpoint agent, and by manipulating them, cyber threat actors can cause lasting physical damage to an organization. Operators should also change any default passwords on OT devices immediately, and implement multi-factor authentication (MFA) where possible.

Any known vulnerabilities should be patched as quickly as possible. Scheduled downtime is a great opportunity to patch OT devices. It’s also critical to backup OT and IT systems regularly in multiple, air-gapped locations. This ensures it’s possible to return to a known, safe state in the event of a compromise.

Finally, operators should regularly inventory their OT and IT assets and use network monitoring solutions to identify any devices communicating on the network. Security teams can’t protect what they don’t know about, so an accurate inventory of assets is crucial for effective defense. The agencies recommend focusing first on internet connected devices and devices where manual operation isn’t possible.

How RevealX Can Help

The RevealX network detection and response platform from ExtraHop passively monitors all north-south and east-west network traffic, including encrypted traffic, without degrading network performance.

In addition, RevealX helps water system operators achieve many of the recommended cyber actions above by automatically mapping an organization’s network and discovering and classifying every asset communicating with it. This asset discovery capability gives water and wastewater treatment facilities visibility into every device on their networks, including OT and other devices that can’t run endpoint detection and response (EDR) agents. When devices can’t support EDR agents, the powerful network detection and response capabilities of RevealX fill this otherwise significant security control and visibility gap.

Through its real-time network visibility, observability, and asset discovery capabilities, RevealX can tell operators of water systems which devices are exposed to the public internet or in need of patching and therefore vulnerable to being hacked, in addition to providing many more insights about their network security postures.

The powerful decryption capabilities and extensive protocol fluency provided by RevealX also enable security teams to keep pace with the most sophisticated attackers. State-backed threat actors attempt to evade detection by hiding in encrypted network traffic and using living off the land techniques to pose as legitimate processes. RevealX sees right through these procedures. Encrypted Traffic Analysis helps to identify suspicious encrypted traffic with abnormal behavior. With decryption of TLS 1.3 traffic and analysis at speeds up to 100 Gbps, RevealX can also quickly identify adversaries hiding in regularly encrypted traffic, even if that traffic behaves normally. RevealX also decodes more than 90 application, database, network, and internet protocols, including Microsoft protocols like Kerberos, MSRPC, LDAP, WINRM, SMBv3, and NTLM. This unmatched protocol fluency enables security teams to rapidly uncover living off the land techniques that other solutions are blind to. Attackers can delete logs and evade EDR or intrusion detection systems (IDSs), but the network sees everything, shows everything, and can’t be evaded. RevealX leaves nowhere for attackers to hide.