U.S. Environmental Protection Agency (EPA), the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) issued a joint advisory warning to U.S. organizations, including those in the water sector, for an urgent and ongoing Ira nian-affiliated cybersecurity threat. U.S. organizations are experiencing exploitation and, in some cases, disruption of commonly used operational technology at drinking water and wastewater systems that are diligently working to ensure that Americans can rely on clean and safe water. “Cybersecurity threats are a serious concern for our nation’s water infrastructure, including the communities, businesses, hospitals, and other critical infrastructure sectors that rely on these critical lifeline services,” said EPA Assistant Administrator for Water Jess Kramer. “Water systems are encouraged to stay informed and work to adopt cybersecurity best practices.” The joint cybersecurity advisory includes information to help water systems identify specific vulnerabilities that are being exploited and take concrete steps to strengthen cyber resilience. It also underscores that the water sector remains an attractive target and continues to face threats from groups seeking to disrupt U.S. critical infrastructure. As a result of the recent cybersecurity exploitation, organizations from multiple U.S. critical infrastructure sectors have reported disruptions including configuration wiping, software-based mechanical sensor tampering, and disruption of human machine interfaces (HMIs). This activity has resulted in operational disruption and financial loss. “The FBI and its partners are issuing this advisory to ensure organizations are best positioned to defend themselves against exploitation by Iran-affiliated cyber actors,” said Assistant Director Brett Leatherman of the FBI’s Cyber Division. “Our goal is to prevent further operational disruption and financial loss for targets of this threat activity while we work to impose costs on malicious actors—all of which builds upon the new Cyber Strategy for America.” EPA, as the federal lead responsible for enhancing the cybersecurity posture of the water sector, supports water systems utilities in identifying cybersecurity gaps and developing risk mitigation plans to address those gaps by providing free cybersecurity assessments, technical assistance, tools, and training. Importantly, these cybersecurity improvements often entail procedural changes rather than expensive hardware and software upgrades, and therefore even those water systems with limited technical resources have the ability to greatly improve their cyber defenses. These resources, and more, are readily accessible at www.epa.gov/cyberwater. EPA encourages water systems that need technical support or additional information on cybersecurity best practices to use EPA’s RealWaterTA resources and submit a request to EPA’s Cybersecurity Technical Assistance Program for the Water Sector. Organizations are encouraged to report information concerning suspicious or criminal activity to FBI Internet Crime Complaint Center (IC3) at IC3.gov or to CISA via CISA’s Incident Reporting System. ...read more read less