Cyber Incident Victim: Nevada Water and Wastewater System

Malicious cyber activity targeting U.S. Water and Wastewater Systems (WWS) facilities occurred between 2019 and 2021, with documented incidents continuing through early 2021. Threat actors employed tactics including spearphishing campaigns to gain initial access, exploitation of outdated operating systems and software vulnerabilities, and compromise of internet-facing control system devices with weak authentication protocols. These attacks affected both IT and operational technology (OT) networks, with actors leveraging insecure remote access configurations to move laterally across networks. Specific techniques involved ransomware deployment to encrypt critical systems and insider threats exploiting privileged access. Operational disruptions included temporary loss of visibility into process control systems and manipulation of critical functions, though the advisory does not specify duration or geographic extent of service interruptions for individual facilities.

The joint advisory highlighted consequences such as compromised ability to monitor water treatment and distribution systems, potential risks to water quality assurance protocols, and interruptions to maintenance scheduling systems. Response actions by sector facilities included implementing enhanced network monitoring for anomalous traffic patterns, isolating compromised workstations and servers, and activating manual operational controls to maintain service continuity during IT system outages. Organizations conducted forensic reviews of affected systems to identify intrusion vectors and deployed patches for vulnerable industrial control system components. Facilities also initiated password resets for accounts with elevated privileges and reviewed remote access logs to identify unauthorized connections. The advisory noted sector-wide efforts to improve cyber-physical safety mechanisms designed to prevent malicious manipulation of chemical dosing levels or pressure management systems.