Cybersecurity Archives - Drinking Water

Joint Cybersecurity Advisory: Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure to Cause Disruption

Posted on by kylefuller

Overview

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Environmental Protection Agency (EPA) are urgently warning U.S. organizations of ongoing cyber exploitation of internet-connected operational technology (OT) devices, including Rockwell Automation/Allen-Bradley-manufactured programmable logic controllers (PLCs), across multiple U.S. critical infrastructure sectors.

Recommended Actions

EPA recommends water and wastewater systems review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks, and apply the recommended immediate steps to prevent the attack:

Limit PLC exposure to the public-internet
Ensure PLCs are in run mode to prevent remote modification
Replace all default passwords on PLCs and OT with strong, unique passwords

Water systems are encouraged to review and implement the additional follow-up steps included in the advisory to further strengthen their cybersecurity posture.

Technical Assistance

If you have questions about any of the information in this alert, including assistance with the mitigation steps, submit a request to EPA’s Cybersecurity Technical Assistance Program for the Water Sector.

Report an Incident

Organizations are encouraged to report information concerning suspicious or criminal activity to FBI Internet Crime Complaint Center (IC3) at IC3.gov or to CISA via CISA’s Incident Reporting System.

Access Advisory Here

CISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems – 2/25/26

Posted on by kylefuller

CISA and partners have observed malicious cyber actors targeting and compromising Cisco SD-WAN systems of organizations, globally. These actors have been observed exploiting a previously undisclosed authentication bypass vulnerability, CVE-2026-20127, for initial access before escalating privileges using CVE-2022-20775 and establishing long-term persistence in Cisco SD-WAN systems.

Click here to visit a link to the CISA alert.

Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure

Posted on by matthewframe

The FBI, CISA, NSA assess pro-Russia hacktivist groups are conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to advanced persistent threat (APT) groups. These attacks use minimally secured, internet-facing virtual network computing (VNC) connections to infiltrate (or gain access to) OT control devices within critical infrastructure systems. Pro-Russia hacktivist groups—Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), Sector16, and affiliated groups—are capitalizing on the widespread prevalence of accessible VNC devices to execute attacks against critical infrastructure entities, resulting in varying degrees of impact, including physical damage. Targeted sectors include Water and Wastewater Systems, Food and Agriculture, and Energy.

More information on this alert can be found here.

BRICKSTORM Backdoor CISA Alert

Posted on by matthewframe

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) assess People’s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems. CISA, NSA, and Cyber Centre are releasing this Malware Analysis Report to share indicators of compromise (IOCs) and detection signatures based off analysis of eight BRICKSTORM samples. CISA, NSA, and Cyber Centre urge organizations to use the IOCs and detection signatures to identify BRICKSTORM malware samples.

More information on the alert can be found on the CISA website here.

Cybersecurity Exercises and Technical Assistance Courses

Posted on by matthewframe

The EPA has training material and courses which can help improve your waterworks cybersecurity found here.

Cyber Incidents Involving Cityworks Software

Posted on by matthewframe

EPA is issuing this alert to inform water and wastewater system owners and operators of cyber incidents involving Cityworks Software. The Cityworks (owned by Trimble) platform is used widely by State, Local, Tribal, and Territorial municipalities, including water and wastewater systems. Read more about this alert here.

Iran Conflict is Increasing the Likelihood of Low-Level Cyberattacks Against US Networks

Posted on by matthewframe

The U.S. EPA is issuing this alert to inform water and wastewater system owners and operators of the need for increased vigilance for potential cyber activity in the United States due to the current geopolitical environment. More information can be found here.

Microsoft Sharepoint Vulnerabilities

Posted on by matthewframe

The U.S. EPA is issuing this alert to inform water and wastewater system owners and operators of the need for increased vigilance surrounding the use of Microsoft SharePoint. While the scope and impact continue to be assessed, the chain, publicly reported as “ToolShell,” provides unauthenticated access to systems and authenticated access through network spoofing, respectively, and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network. See a full update regarding this release on the CISA’s Webpage.