A new White House warning about threat groups from Iran and China targeting U.S. water and sewer systems has once again focused attention on the sector’s continued vulnerability to disruptive cyberattacks.
The warning – co-signed by EPA Administrator Michael Regan and Jake Sullivan, President Biden’s national security advisor – calls on water and water treatment plant operators to urgently review their cybersecurity practices. It supports the need for stakeholders to implement cyber risk mitigation controls where necessary and implement plans to prepare for, respond to and recover from attacks.
A call to action
“In many cases, even basic cybersecurity precautions – such as resetting default passwords or updating software to address known vulnerabilities – are not in place and can mean the difference between business as usual and a disruptive cyber attack,” the White House warned.
The note arises from concerns about attacks like the one last November on Aliquippa Municipal Water Authority, Pennsylvania by an Iranian state-sponsored group called CyberAv3ngers. In that attack, the the threat actor took control and shut down a Unitronics programmable logic controller (PLC) for monitoring and regulating water pressure in two municipalities. While the attack ultimately posed no risk to drinking water and water supplies in the two communities, it served as a warning of the potential damage adversaries could cause by targeting water systems.
The White House memo this week warned of such attacks as an ongoing threat to water and sewer systems across the country. It attributed the attacks specifically to cyber threat actors linked to the Iranian government’s Islamic Revolutionary Guard Corps (IRGC) and Volt Typhoon, a China-backed threat actor associated with several recent attacks on U.S. critical infrastructure.
Regan and Sullivan described attacks by Iranian threat actors as designed to disrupt and degrade critical operational technology (OT) at U.S. water facilities. They characterized the Volt Typhoon strikes as more of an attempt to position themselves well for future disruption activities in response to any potential military conflict or rising geopolitical tensions between the United States and China.
The US Cybersecurity and Infrastructure Agency (CISA), FBI, NSA, security vendors and researchers have recently issued a barrage of warnings about Volt Typhoon attacks against critical infrastructure targets. The alerts include one about the threat actor’s attack numerous US electricity companiesexploiting Vulnerable Cisco routers build your own attack network e prepositioning itself for potentially crippling attacks on US critical infrastructure in the future.
An attractive lens
“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a critical infrastructure sector, but they often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” the White House said in its this week’s note.
Nick Tausek, lead security automation architect at Swimlane, says that compared to industries like power generation, water infrastructure receives much less attention from a cybersecurity perspective. “It is not difficult to imagine a nation-state using this historically easy target to simultaneously compromise water security in multiple areas of the country during a future conflict,” he says. Such attacks can “erode trust in institutions, harm the population and divert resources to address the water crisis.”
Casey Ellis, founder and chief strategy officer at Bugcrowd, says many of the systems within water infrastructure, as elsewhere in the OT and ICS environments, rely on old software and operating systems that often have known vulnerabilities. “For these types of systems, the traditional ‘apply patches, implement MFA, use strong passwords’ guidance doesn’t necessarily work, due to their age,” he says. In general, Ellis says, operators should ensure adequate segmentation of control systems from enterprise systems and the Internet and should talk to their middleware vendors for product-specific guidance.
Ellis, like other security experts, points to one specific incident as the reason for the threat actor’s interest in water systems: a reported attack in 2021 on a water treatment plant in Oldsmar, Florida, which is said to has caused increase the level of lye to toxic levels before being detected, for example. “In the attack on Oldsmar, all of this [the attacker] Required were a phished username and password for a TeamViewer account. I have personally seen these types of systems present on the open Internet,” Ellis explains.
Defense measures
To prevent such attacks, in part, the Cybersecurity for Rural Water Systems Act of 2023 was passed allocated $7.5 million to fund security for rural water systems as among the most vulnerable to disruptive attacks. The money will fund the so-called Circuit Rider Program for the next few years, in which cybersecurity experts will travel to small rural water systems to help them implement stronger cybersecurity.
Chad Graham, CIRT manager at Critical Start, says that in many cases it is the operators themselves who have started to implement the change. “One promising approach that water and wastewater systems are taking is to clearly separate their information technology (IT) and operational technology (OT) environments,” he says. The approach is critical to containing damage in an environment where a successful attack can disrupt supplies of safe drinking water or compromise wastewater treatment processes. “Disruption of these essential services could lead to immediate public health crises and long-term environmental damage.”