Attacks and Vulnerabilities
Critical infrastructure
Industrial Cyber Attacks
IT/OT Collaboration
Malware, Phishing & Ransomware
News
Perimeter security
Secure Remote Access
Secure-by-Design
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape
Utilities: Energy & Power, Water, Waste

US White House and EPA warn governors of cyberattacks on water systems, call for enhanced security measures

March 20, 2024
US White House and EPA warn governors of cyberattacks on water systems, call for enhanced security measures

The U.S. White House and the Environmental Protection Agency (EPA) have alerted state governors to the threat of cyberattacks targeting water and wastewater systems. These attacks have the potential to disrupt the essential supply of clean and safe drinking water, leading to significant costs for affected communities.

In a letter this week, Michael S. Regan, administrator of the EPA, and Jake Sullivan, assistant to the President for National Security Affairs described the nature of these threats and requested the governor’s partnership on important actions to secure water systems against the increasing risks from and consequences of these attacks. 

Pointing to two recent and ongoing threats that illustrate the risk that cyberattacks pose to the nation’s water systems, the officials identified hackers affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC), who have carried out malicious cyberattacks against U.S. critical infrastructure entities, including drinking water systems, where they exploited Unitronics PLCs

They highlighted that in these attacks, the IRGC-affiliated cyber actors targeted and disabled a common type of operational technology used at water facilities where the facility had neglected to change a default manufacturer password. 

They also said that the People’s Republic of China (PRC) state-sponsored cyber group known as Volt Typhoon has compromised information technology of multiple critical infrastructure systems, including drinking water, in the U.S. and its territories. “Volt Typhoon’s choice of targets and pattern of behavior are not consistent with traditional cyber espionage. Federal departments and agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflicts.”

The agencies added that they “need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices to identify any significant vulnerabilities, deploy practices and controls to reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to, and recover from a cyber incident. In many cases, even basic cybersecurity precautions – such as resetting default passwords or updating software to address known vulnerabilities– are not in place and can mean the difference between business as usual and a disruptive cyberattack.” 

They also directed the sector to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (CISA) website which has a list of actions water and wastewater systems can take to reduce risk and improve protections against malicious cyber activity. In January, the CISA, the Federal Bureau of Investigation (FBI), and the EPA released a joint Incident Response Guide for the water and wastewater systems sector, which includes contributions from over 25 organizations from the sector, including private industry, nonprofit, and government entities.

The White House and EPA said that both EPA and CISA offer guidance, tools, training, resources, and technical assistance to help water systems execute these essential tasks. Further, cybersecurity support and technical assistance are available from private sector associations like the American Water Works Association, the National Rural Water Association, and the Water Information Sharing and Analysis Center. 

“State leadership and messaging to connect water systems with these tools and resources is essential to ensure that utility leaders assess and mitigate critical cyber risks,” Regan and Sullivan wrote. “Your state Homeland Security advisors are a resource, as they have links into Federal cybersecurity efforts and access to relevant information about these threats.” 

Additionally, they informed the governors that “We will invite your Environmental, Health, and Homeland Security Secretaries to participate with us in convening to discuss the improvements needed to safeguard water sector critical infrastructure against cyber threats. This meeting will highlight current Federal and state efforts to promote cybersecurity practices in the water sector, discuss priority gaps in these efforts, and emphasize the need to take immediate action. We will provide details about this convening to your teams shortly. 

Additionally, EPA will engage the Water Sector and Water Government Coordinating Councils to form a Water Sector Cybersecurity Task Force, which will build on recommendations from the state’s Environmental, Health, and Homeland Security Secretaries. The Task Force will identify the most significant vulnerabilities of water systems to cyberattacks, the challenges that water systems face in adopting cybersecurity best practices, and near-term actions and long-term strategies to reduce the risk of water systems nationwide to cyberattacks.

In conclusion, Regan and Sullivan said “The White House and EPA are hopeful that the efforts outlined in this letter, and others we may undertake together, will protect the water systems from cyberattacks and prevent the need to use other Federal authorities.”

Commenting on the letter, Roger Grimes, data-driven defense evangelist at KnowBe4 said “Part of the problem is there are just too many recommendations, often containing hundreds of controls that every company is supposed to implement perfectly. It just can’t be done. And the facts are that 70% -90% of all successful data breaches involve social engineering that has gotten past every other technical defense and 33% of all successful hacking involves unpatched software and firmware. Those two root hacking methods account for 90% -99% of all successful hacking.”

He added that if defenders just concentrated on mitigating those two threats, far better than they do today, hackers and malware would have a much harder time being successful. 

“But defenders don’t appropriately focus on those two things,” according to Grimes. “And it is that fundamental misalignment that allows hackers and malware to be as continually successful as they have always been. And for sure this memo is not changing that equation much.”

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation