Two major water companies, one in the United States and one in the United Kingdom, have been targeted in ransomware attacks that resulted in data breaches.
In the U.S. attack, Veolia North America, which describes itself as the world's largest private player in the water sector, providing water and wastewater services to tens of millions of people, stated its backend systems were targeted by ransomware. Veolia stated its Municipal Water division was hit, causing the company to take the targeted backend systems and servers offline, which disrupted online bill payment systems.
"This incident seems to have been confined to our internal back-end systems at Veolia North America, and there is no evidence to suggest it affected our water or wastewater treatment operations," Veolia said. The water company has also determined that the personal information of "a limited number of individuals" may have been compromised, who will be notified by the firm. No known ransomware group appears to have taken credit for the attack on Veolia.
In contrast, the Black Basta ransomware group is listed the U.K.'s Southern Water on its leak website, claiming to have stolen 750 GB of files, including ones containing personal information and corporate documents. The cybercriminals posted several screenshots showing that they obtained identification document scans (passports and driver's licenses) and other documents containing personal information. They threatened to release the personal information unless a ransom is paid.
Southern Water, which provides water services to 2.5M customers and wastewater services to 4.7M customers in the South of England, confirmed that suspicious activity was detected on its systems and an investigation was launched.
The water utility is investigating the claims but has currently found no evidence that customer relationships or financial systems have been impacted. "Our services are not impacted and are operating normally," it said. Eduard Kovacs "Major US, UK Water Companies Hit by Ransomware" www.securityweek.com (Jan. 24, 2024)
Commentary
Infrastructure attacks such as these are evidence of increased efforts by malicious actors to target critical infrastructure all over the world.
One common method of attack is to exploit weaknesses in software or firmware that can lead to further entry into the organization's system, regardless of its sector or size.
Cybersecurity industry experts offer some recommendations that can help organizations prepare for future attacks.
Product security and risk officers should focus on software vulnerabilities to avert embedded threats contained in third-party and open-source components within their applications. Currently, U.S. federal regulations apply to anyone doing business with the government, but businesses should expect the same certifications from their suppliers that software security standards are met.
The Software Bill of Materials (SBOM) is quickly becoming a requirement, partly due to the expanding body of standards for software supply chain security including the U.S. NIST's standards. It is a list of all the open-source and third-party components present in a codebase. https://www.cisa.gov/sbom
An SBOM also lists the licenses that govern those components, the versions of the components used in the codebase, and their patch status, which allows security teams to quickly identify any associated security or license risks. A majority of organizations are expected to require a signed SBOM for applications and software components deployed in their networks.
On the user side, organizations should embrace a "trust but verify" mindset and factor in security as one of the activities involved in accepting and managing their digital assets. Organizations need to extend procurement and software asset management (SAM) practices beyond merely licensing and inventory. Armed with tools such as SBOMs, they now can review vendor software licensing to understand their delivery, inspection, testing, and acceptance requirements.
