While CISA assess that there are not currently any specific credible threats to the U.S. homeland, all organizations are urged to be mindful of the potential for the Russian government to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine.

Yesterday’s WaterISAC and joint EPA-WaterISAC advisories amplify CISA’s recent and ongoing emphasis on the need for all organizations to be vigilant, implement cybersecurity measures, and be prepared to respond to disruptive cyber attacks. Specifically, all organizations are urged to be diligent in:

• Locking down privileged accounts, including but not limited to implementing multifactor authentication (MFA) and monitoring for anomalous account activity.
• Being prepared to maintain continuity of operations, specifically for any ICS/OT dependencies that could be disrupted and the sustaining of manual operations to maintain critical functions.
• Understanding of and being proficient in incident response procedures (IRPs) before an incident occurs, including practicing IRPs in tabletop exercises.
• Dropping the threshold for the sharing of information regarding suspicious network activity. All organizations should report incidents and anomalous activity to CISA and/or the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected].

Members are encouraged to review CISA’s newly posted Shield’s Up page and previously published WaterISAC and EPA webinars and advisories for more near-term actions and relevant resources.

Prior WaterISAC and EPA Webinars and Advisories

• EPA-WaterISAC Webinar: Cybersecurity Recommendations in Consideration Russian State-Sponsored Cyber Operations Against U.S. Critical Infrastructure
• (TLP:AMBER) U.S. EPA-WaterISAC Advisory on Recommendations in Consideration of Russian Cyber Operations
• (TLP:WHITE) Joint Cybersecurity Advisory (AA22-011A) Issued to U.S. Critical Infrastructure for Understanding and Mitigating Russian State-Sponsored Cyber Threats

WaterISAC Incident Reporting
WaterISAC encourages all utilities that have experienced malicious or suspicious activity to email [email protected], call 866-H2O-ISAC, or use the confidential online incident reporting form. Reporting to WaterISAC helps utilities and stakeholders stay aware of the threat environment of the sector.

Additional resources (not included above)

• Tripwire for Real War? Cyber's Fuzzy Rules of Engagement (SecurityWeek)
• Anticipating Cyber Threats as the Ukraine Crisis Escalates (Mandiant)