On October 14, 2021, the U.S. Environmental Protection Agency (EPA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) jointly published an Advisory (AA21-287A) that warns of ongoing malicious cyber activity—by both known and unknown actors—targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. Water and Wastewater Systems (WWS) Sector facilities. A copy of the Advisory, which describes threat tactics and techniques, as well as mitigation solutions is available HERE. The Advisory also contains many links to external EPA and other CISA resources that address cybersecurity, including action checklists and best practices for the water sector. Cybersecurity threats to the water industry made national headlines in February of 2021 when a water system in Oldsmar, Florida experienced a cyberattack that raised the levels of sodium hydroxide more than 100-fold, a level that could sicken water customers and corrode pipes.
Additionally on December 29, 2021, The Hill reported that a recent CISA report identified potential threats to the manufacturing sector. The report lists three potential operational vulnerabilities in Industrial Control Systems; they are:
- expanded cyber-attack surfaces
- reduced network segmentation and securitization
- unauthorized access (both physical and online)
The report also cautions about additional risks posed by the shift to robotic process automation (RPA)—the automation of critical manufacturing production by employing robots and management through remote operators. With the COVID-19 pandemic, the use of RPA has been increasing as companies work to limit the number of onsite workers.