Six Warning Signs of a Malicious Cyber Incident

emPOWERUP Live: Orange County, FL – Feb. 13, 2024
January 11, 2024
2024 Industrial Technology Check-in Survey
February 9, 2024

A new Cybersecurity & Infrastructure Security Agency guide goes beyond explaining how water/wastewater organizations should respond to cybersecurity incidents.

It highlights six warning signs that administrators can use to validate that malicious activity is actually happening on a network. Misconfigured firewalls, access control problems and other issues can create false alarms, so CISA advises that organizations validate that a malicious incident is occurring before notifying authorities.

Changing Threat Landscape

Nitin Natarajan, CISA Deputy Director, and David Travers, EPA Director of the Water Infrastructure & Cyber Resilience Division, said securing the water/wastewater sector from cyber threats is a national security matter.

“We’ve seen a change in the adversarial landscape. We’re not just talking about nation states. We’re not just talking about China, Russia, Iran, North Korea, but we’re seeing cyber-criminal, cyber-terrorist organizations that are also causing harm here in the United States.”

Natarajan’s office has also seen a shift in the types of victims. Mid-sized and rural water/wastewater authorities are now frequent targets.

Natarajan and Travers spoke during a LinkedIn Live interview with CISA on Feb. 7.

CISA’s incident response guide outlines six red flags to look for when you suspect a malicious cybersecurity incident.

Six Warning Signs of a Malicious Cyber Incident

Unusual System Behavior: If a system is running slower than usual, crashing frequently, or displaying excessive pop-ups.

Unfamiliar Network Activity: Network activity or traffic shows unusual or unexpected data transfers, connections to unknown IP addresses, or unauthorized access attempts.

Unexplained Data Loss or Modification: Files suddenly disappear, become corrupted, or their contents are modified without authorization.

Security Software Alerts: The utility’s anti-malware or firewall software sends warnings.

Phishing Attempts: Suspicious emails, messages, or phone calls asking for personal information or login credentials come into the utility.

Unusual Networks or Systems: Unknown devices or unauthorized access points start appearing on system network

Source: CISA

Do You Have the Data?

Key to CISA’s recommendation is having visibility into the system’s network. Without that, it would be difficult if not impossible to catch some of the warning signs early.

“I’m a huge proponent of making decisions with data,” says Scott Christensen, Cyber Practice Director at GrayMatter. “The first thing you look at is where am I missing data? Do I have a good asset inventory? Have a done a risk assessment. Do I understand the components of my network? Have I settled on a standard for my network?

“If I have those pieces, then I can start to say where can I put the right protections in place? What are the right technologies I should be leveraging?” Christensen said.

– Scott Christensen, GrayMatter

During the LinkedIn Live interview, Travers and Natarajan answered a key question about responding to cyber incidents.

“When a cyber incident happens, what do you do and who do you tell?”         

Notify CISA and the FBI

“This information allows not only for CISA to lend its technical expertise, if needed, to the victim but also provides us with immediate insight in the risk landscape facing water systems,” Travers said

Follow Your Established Response Plan

“Our sincere hope is that utilities have conducted a risk assessment in advance of an incident, so they’ve identified what their vulnerabilities are and hopefully have adopted cybersecurity measures to mitigate those instances,” Travers said. “A crucial portion of that is having a cyber incident response plan.”

Review CISA’s Incident Response Guide (Preferably, Ahead of Time)

“Organizations all over the world plan exercises for fire drills, evacuation drills, natural disasters in their impacted areas. We want to get organizations to start building cybersecurity exercises into what they do, into their engagement with employees and management,” said Natarajan, the CISA Deputy Director. “This should be a normal part of what people do.”

Travers said recent attacks on water/wastewater facilities by so-called hacktivist groups likely would have been prevented with some simple protection in place.

“The adoption of a relatively straightforward and basic cybersecurity practice would have sufficed to thwart the attack,” he said.

For more resources on how to conduct a cybersecurity assessment of your own, click Start a Project at GrayMatter.