China and Iran-linked threat actors are targeting water and wastewater systems throughout the United States. Cyberattacks on infrastructure can disrupt “the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities,” officials from the Environmental Protection Agency (EPA) and the White House have warned.
In a letter to the US governors, EPA Administrator Michael Regan and National Security Adviser Jake Sullivan described two recent and ongoing threats to the nation’s water system and concluded with a plea for help.
Threat actors affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC) have targeted and disabled a common type of operational technology used at water facilities where the facility had neglected to change a default manufacturer password.
And the People’s Republic of China (PRC) state-sponsored cyber group Volt Typhoon has compromised multiple critical infrastructure systems, including drinking water. Officials warn that Volt Typhoon may already be lurking in the systems as their choice of targets and behavior are prepositioned “to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflict.”
“We need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices,” the letter reads.
Governors are asked to identify any significant vulnerabilities, reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to, and recover from a cyber incident.
“In many cases, even basic cybersecurity precautions – such as resetting default passwords or updating software to address known vulnerabilities – are not in place and can mean the difference between business as usual and a disruptive cyberattack,” the letter notes, linking to the CISA’s list of actions that water and wastewater systems can take to reduce risk and improve protections against malicious cyber activity.
The EPA plans on setting up a Task Force that “will identify the most significant vulnerabilities of water systems to cyberattacks, the challenges that water systems face in adopting cybersecurity best practices, and near-term actions and long-term strategies to reduce the risk of water systems nationwide to cyberattacks.”
The agency is also providing other guidance, tools, training, and assistance.
Drinking water is a critical infrastructure that often lacks the resources and technical capacity to adopt rigorous cybersecurity practices. This makes it an attractive target for threat actors.
A water facility in Western Pennsylvania has already been hit by the Iranian hacktivist group. The attackers were able to gain control of a remote booster station that regulates and monitors pressure for two local municipalities, Cybernews reported. Previously, a cyberattack targeted UK water supplier South Staffordshire.
Powerful cyberattacks against critical infrastructure can be comparable to a natural disaster, according to the interview with Brian Contos, CSO of Phosphorus Cybersecurity.
Your email address will not be published. Required fields are markedmarked