CISA: Hackers target industrial systems using “unsophisticated methods”

​CISA warned today of threat actors trying to breach critical infrastructure networks by targeting Internet-exposed industrial devices using "unsophisticated" methods like brute force attacks and default credentials.

According to the cybersecurity agency, these ongoing attacks targeting critical infrastructure OT and ICS devices are also impacting water and wastewater systems.

OT devices integrate hardware and software and help monitor and control physical processes in manufacturing, critical infrastructure, and other industries. In water treatment plants, for instance, they regulate water treatment processes, distribution, and pressure, ensuring a continuous and safe water supply.

"CISA continues to respond to active exploitation of internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including those in the Water and Wastewater Systems (WWS) Sector," CISA warned on Wednesday.

"Exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm."

The cybersecurity agency advised OT/ICS operators in critical infrastructure sectors at risk of attack to defend against malicious activity by applying measures shared in a May advisory when it warned of pro-Russian hacktivists targeting water facilities.

​As CISA said at the time, they have targeted insecure and misconfigured OT devices since 2022 to disrupt operations or create what it described as "nuisance effects" in attacks "mostly limited to unsophisticated techniques."

To protect against such attacks, defenders can change default passwords, enable multifactor authentication, place human-machine interfaces (HMIs) behind firewalls, harden VNC installs, and apply the latest security updates to the overall security posture of their IT environments.

"This year we have observed pro-Russia hacktivists expand their targeting to include vulnerable North American and European industrial control systems," said Dave Luber, NSA's Director of Cybersecurity, in May.

Today's advisory comes after Arkansas City, Kansas, revealed that a Sunday morning cyberattack forced it to switch its water treatment facility to manual operations. Last week, the U.S. Environmental Protection Agency (EPA) also issued guidance to help WWS owners and operators evaluate their cybersecurity practices and identify measures to reduce cyberattack exposure.

In March, the White House and EPA sought the support of state governors to defend water systems from cyberattacks, while the U.S. government sanctioned two Russian cybercriminals for targeting the water sector in July. In recent years, Iranian and Chinese state-backed hacking groups have also been linked to U.S. water system breaches.