The CIP Briefing

This week, the water sector remains squarely in the crosshairs. CISA continues to push ICS advisories at a relentless pace — multiple vendor-specific vulnerabilities affecting SCADA platforms, PLCs, and HMI software commonly deployed across water and wastewater systems demand immediate patching or mitigation. If you haven't reviewed your asset inventory against these advisories in the last 30 days, you are behind. The threat actors aren't waiting, and neither should you.

On the regulatory front, EPA's free Cybersecurity Technical Assistance Program and Cybersecurity Evaluation Program remain open for enrollment — and if you're a small or medium utility that hasn't signed up, you're leaving free money and expertise on the table. The agency continues to signal that cybersecurity compliance enforcement for community water systems is not a matter of "if" but "when." Meanwhile, WaterISAC continues to circulate threat intelligence on nation-state actors — particularly PRC-affiliated groups (Volt Typhoon successors) and Iranian-linked actors — that have demonstrated persistent interest in U.S. water infrastructure. The message is the same as it has been: these groups are pre-positioning for disruption, and your VPN, your remote access, and your unpatched HMIs are the front door.

Operators need to focus this week on three things: patch what you can, segment what you can't, and verify your remote access controls are locked down tight. No excuses.

WaterISAC and CISA continue to track activity from PRC-affiliated advanced persistent threat (APT) clusters — the operational successors to what the community tracked as Volt Typhoon — conducting reconnaissance and pre-positioning operations against U.S. critical infrastructure, with water and wastewater utilities among the priority targets. These actors exploit end-of-life network edge devices (routers, VPN concentrators, firewalls) to establish footholds and persist undetected for months or years. Their objective is not immediate disruption — it is strategic access that can be leveraged during a geopolitical crisis. CISA China Cyber Threat Guidance

Additionally, Iranian-affiliated threat actors continue to target water utilities running Israeli-manufactured PLCs and HMI systems, particularly Unitronics devices. While the mass defacement and manipulation incidents from late 2023 prompted widespread awareness, follow-on probing continues. Any utility still running Unitronics Vision or Samba series PLCs with default credentials or internet-exposed management interfaces must act today — not tomorrow. CISA Alert on Unitronics PLCs

Ransomware groups — including Cl0p successors, BlackSuit, and emerging affiliates — continue to target municipalities, and water utilities connected to shared municipal IT networks are collateral damage waiting to happen. If your OT network shares any IT backbone with city hall, the police department, or the finance office, your SCADA system is one phishing email away from being encrypted. The WaterISAC advisory posture remains at "elevated" for ransomware risk to the sector. WaterISAC Advisories