Critical Infrastructure Alert: Water Treatment Facilities Targeted by Novel ICS Malware

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency alert after discovering a new strain of ICS-specific malware called "AquaGhost" designed to manipulate water treatment chemical dosing systems at municipal water treatment facilities across the United States.

AquaGhost specifically targets Programmable Logic Controllers (PLCs) manufactured by Schneider Electric and Siemens that are commonly used in water treatment plants. The malware can alter chemical dosing parameters while displaying normal readings on operator workstations — a technique reminiscent of the Stuxnet attack methodology.

Three water treatment facilities in Texas, Ohio, and Oregon have confirmed compromises. In all cases, the malware was delivered through compromised remote access systems used by third-party maintenance contractors. No actual harm to water supplies has been reported.

The malware shows significant technical sophistication, including the ability to understand and manipulate specific SCADA protocols (Modbus TCP and OPC UA), suggesting the involvement of well-resourced threat actors with deep knowledge of industrial control systems.

CISA recommends that all water utilities immediately audit remote access connections, implement network segmentation between IT and OT environments, and deploy industrial-specific intrusion detection systems. The agency is providing free technical assistance to affected facilities.