US consumers caught up in Veolia ransomware attack

Water is a source of potable drinking water and energy. Image of Olympic Park in London (C) Tim Sandle.

Veolia, one of the world’s largest water facility operators, was hit by a ransomware attack on its North America Municipal Water division. This attack comes nearly a week after the CISA, FBI, and EPA released an incident response guide for the Water and Wastewater Sector (WWS).

The company has confirmed its Municipal Water division has suffered a security incident that triggered the firm to take the targeted back-end systems and servers offline until they could be restored. The French-owned firm states:

“This incident seems to have been confined to our internal back-end systems at Veolia North America, and there is no evidence to suggest it affected our water or wastewater treatment operations.”

Veolia operates in all 50 U.S. states. The attack resulted in the company’s online payment systems being moved offline and the breach of customers’ sensitive information.

MSN reports that the relevant authorities and law enforcement agencies have been notified of the attack, and external forensics teams were brought in to assist with the aftermath of the attack.

Following this news, Nick Tausek, Lead Security Automation Architect at Swimlane explains to Digital Journal why cyberattacks on the energy sector put society as a whole at risk, especially should an attack actually be capable of spending operations, and how more needs to be done to protect national infrastructures.

Tausek begins by noting the irony of the timing of this security incident: “One week after the US government released guidance for the water and wastewater sector (WWS) to improve cyber resilience and incident response, Veolia, one of the world’s largest water operators, fell victim to a ransomware attack.”

In terms of the specific details, he finds: “The attack targeted Veolia’s North America Municipal Water division, affecting the company’s online payment systems. While there is no evidence that the attack affected water or wastewater treatment operations, there was a breach in customers’ personal information.”

In terms of taking remediation actions, Tausek assesses the latest advice, noting: “The guidelines published by the Environmental Protection Agency (EPA) in collaboration with the FBI and Cybersecurity and Infrastructure Security Agency (CISA) highlighted the need for a preventative security approach to be implemented to combat the vulnerability of this critical infrastructure sector. The timing of this attack reiterates this vulnerability. These organizations must be taking the necessary precautions to not only safeguard the sensitive information of customers but also the system operations and water safety.”

In terms of taking concrete action, Tausek recommends: “The cascading, long-term risks to critical water infrastructure as well as human and environmental health are of paramount importance, and, combined with a historically outdated security posture, make water infrastructure an especially attractive target for cybercriminals.”

Tausek further recommends: “By implementing an automated security platform, organizations can standardize threat detection and alert monitoring, significantly reducing incident response times.”