Cybersecurity Threats: Lessons Learned from WaterISAC

phishing.png

In July of 2024, WaterISAC sent out an advisory to its members advising them to take caution when opening emails from seemingly "trusted" sources. This was sent after WaterISAC was made aware of a second phishing attempt against Maine water operators and well drillers that was disguised as an information verification form from Maine.gov. 

A screenshot of the attempted phishing email is shown below:

 

Now that phishing attempts are so common across the water sector, it is important to be vigilant when opening emails and clicking any links within. WaterISAC provided a list of lessons that can be learned from incidents like this, as well as resources to help water and wastewater systems get guidance on how to strengthen cybersecurity measures. These lessons and resources are shared below:

Lessons Learned

  • Share Information on Threats. In these cases, state agencies quickly sent out a broadcast alert to targeted audiences warning of the phishing attempt.
  • Open-Source Intelligence (OSINT).  There is a lot of information on the internet about our water systems. It is useful to know what public information is available. In some cases, detailed and sensitive information can be removed. In other cases, the information is intentionally part of the public record. Therefore, we need to be aware of this class of data so we are not fooled into trusting whoever has it because we believe only privileged sources have access to it.
  • Practice Phishing Drills. Part of every utility’s cybersecurity awareness training should include regular phishing drills for staff. CISA has free resources to assist, such as, Teach Employees to Avoid Phishing.
  • Not Sure, Call. If you are not sure that the source of an email is legitimate, call the supposed sender through previously established phone numbers to confirm the request’s validity.
  • Fall for a Phish, Contact Your IT Department. If you realize after the fact that you fell for a phishing email, or you think you might have, call your information technology group to find out what to do. Everyone except the attacker, will be glad you did.

Additional Water and Wastewater Systems Sector Guidance Resources:



Comments are closed.