US authorities said on Thursday that four ransomware attacks had penetrated water and wastewater facilities in the past year, and they warned similar plants to check for signs of intrusions and take other precautions.
The alert from the Cybersecurity and Infrastructure Security Agency (Cisa) cited a series of apparently unrelated hacking incidents from September 2020 to August 2021 that used at least three different strains of ransomware, which encrypts computer files and demands payment for them to be restored.
Attacks at an unnamed Maine wastewater facility three months ago and one in California in August moved past desktop computers and paralysed the specialised supervisory control and data acquisition (Scada) devices that issue mechanical commands to the equipment.
The Maine system had to turn to manual controls, according to the alert co-signed by the FBI, National Security Agency and Environmental Protection Agency.
A March hack in Nevada also reached Scada devices that provided operational visibility but could not issue commands.
Cisa said that it was seeing increasing attacks on many forms of critical infrastructure, in line with those on the water plants.
In some cases, the water facilities are handicapped by low municipal spending on technology cybersecurity.
The Department of Homeland Security agency’s recommendations include access log audits and strict use of additional factors for authentication beyond passwords.