Cyber999 Advisories

1.0 Introduction 
The water utilities sector faces increasing cyber threats, targeting IT and OT systems alike. These attacks often target internet-exposed operation technology (OT) and industrial control system (ICS) devices. OT controls vital functions like pumps, chlorination, and valves. Older systems with inadequate updates and unprotected access points are vulnerable. Attackers may exploit weak security, such as default passwords, to breach critical infrastructure. They could use relatively simple techniques to attack smaller ICS and OT environments, including water, dams, energy, food and agriculture sectors. Some of these attacks include ransomware, unauthorised access to programmable logic controllers (PLCs), breaches exposing customer data, brute force attacks and accessing systems using default credentials. While larger utilities bolstered their defences, smaller systems remain highly vulnerable. 

A recent cyber incident, which occurred in October 2024 at the New Jersey-based American Water, affected its computer networks and systems. While no operational disruptions were reported at its water or wastewater facilities, the incident raised concerns about cybersecurity vulnerabilities within the water sector.

Although we have not received any incident reports of significant threats to water systems in Malaysia, we advise system administrators to be vigilant of potential threats. We urge system administrators to take necessary steps to secure their systems and networks to prevent such occurrences and minimise risks. We have provided some recommendations in this advisory to guide system administrators.

2.0 Impact
Below are the potential impacts of cyber attacks on water systems:

1. Harm and disruption to the water system’s normal operation
2. Affect safe drinking water due to contamination and chemical exposures 
3. It may even endanger public health
4. Loss of Productivity. Businesses dependent on water (e.g., agriculture, manufacturing) face operational shutdowns
5. Data breaches can result in reputational harm to the water systems and may diminish trust in government digital transformation initiatives
6. Ransomware attacks exploit sensitive data and use it as a levy. If the ransom is not fulfilled within the given time, the water systems’ organisations’ confidential data will be exposed, and trade secrets may be compromised
7. It may involve huge recovery costs due to cyber attacks

3.0 Recommendations
Below are some recommendations to secure water systems and reduce cyber risk, eventually improve resilience to cyberattacks:

1. Change default passwords immediately to strong and robust passwords. Implement password revocation and enforce password changing
2. Reduce exposure to the Public-Facing Internet
3. Use the rule of least privilege, which means that accounts have access to only the minimum amount of data they need
4. Use multi-factor authentication to identify and protect critical assets and access to critical information systems
5. Restrict access authorisations according to user roles and develop authorisation policy to secure idle accounts; automatically lock accounts and alert IT staff after several failed login attempts
6. Network segmentation is crucial for water treatment facility plants. It can significantly reduce the risk of large-scale cyber attacks
7. Update security patches and antivirus software regularly
8. Backup OT/IT Systems daily and test the backup regularly. Place backup copies in a remote location and in multiple copies
9. Reduce exposure to vulnerabilities
10. Conduct cyber security awareness training for all staff at least once a year
11. Conduct regular cyber security assessments
12. Conduct Disaster Recovery Plan review and update
13. Conduct Business Continuity Plan review and update

Generally, CyberSecurity Malaysia advises organisations to be updated with the latest security announcements and follow best practices to secure systems and networks.

For further enquiries, please contact us through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my

4.0 References

1. https://www.mycert.org.my/portal/advisory?id=MA-931.042023
2. https://www.mycert.org.my/portal/advisory?id=MA-824.122021
3. https://www.mycert.org.my/portal/advisory?id=MA-1034.022024
4. https://www.darkreading.com/ics-ot-security/hackers-hot-water-utilities?_mc=NL_DR_EDT_DR_weekly_20250102&cid=NL_DR_EDT_DR_weekly_20250102&sp_aid=127393&elq_cid=48621096&sp_eh=ac4eef9b74cf2d82c9cbb97fe6b660696a67d48329d368c712c479d019ca3df8&sp_eh=ac4eef9b74cf2d82c9cbb97fe6b660696a67d48329d368c712c479d019ca3df8&sp_cid=56291
5. https://ottawa.citynews.ca/2024/05/20/epa-warns-of-increasing-cyberattacks-on-water-systems-urges-utilities-to-take-immediate-steps/
6. https://www.theglobeandmail.com/canada/article-duffin-creek-water-ransomware-hack/
7. https://www.bankinfosecurity.com/largest-us-water-utility-hit-by-cybersecurity-incident-a-26478
8. https://www.cybersecuritydive.com/news/cisa-hacktivist-exploit-water-utility/728163/
9. https://www.cisa.gov/sites/default/files/2024-03/fact-sheet-top-cyber-actions-for-securing-water-systems.pdf