In a stark warning issued by the White House, it has been revealed that cyberattacks are increasingly targeting water and wastewater systems across the United States.
These critical infrastructures are essential for providing clean and safe drinking water to communities, yet they are now at the forefront of a silent cyber war.
Cyber Threats from Iran and China
The letter from the White House, dated March 18, 2024, outlines two significant cyber threats that have been compromising the nation’s water systems.
Free Webinar : Mitigating Vulnerability & 0-day Threats
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:
- The problem of vulnerability fatigue today
- Difference between CVSS-specific vulnerability vs risk-based vulnerability
- Evaluating vulnerabilities based on the business impact/risk
- Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, that helps you to quantify risk accurately:
The first threat comes from actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC), who have been exploiting weaknesses in operational technology.
Specifically, they have targeted water facilities that failed to change default manufacturer passwords.
The White House refers to the Cybersecurity and Infrastructure Security Agency’s (CISA) advisory for more details on these attacks.
The second threat is the People’s Republic of China (PRC) state-sponsored cyber group, Volt Typhoon.
This group has been infiltrating information technology systems of multiple critical infrastructures, including those of drinking water.
Unlike typical cyber espionage, Volt Typhoon’s activities suggest a pre-positioning strategy to disrupt essential operations in the event of geopolitical tensions or military conflicts.
The Vulnerability of Water Systems
The letter emphasizes the attractiveness of drinking water and wastewater systems as cyberattack targets.
Despite being a lifeline critical infrastructure sector, these systems often lack the necessary resources and technical capacity to implement robust cybersecurity measures.
The U.S. Environmental Protection Agency (EPA), as the lead Federal agency under Presidential Policy Directive 21, is tasked with ensuring the resilience of the nation’s water sector to all threats and hazards.
The White House is seeking the support of state governments to ensure that water systems within their jurisdictions conduct comprehensive assessments of their cybersecurity practices.
The goal is to identify vulnerabilities, implement controls to mitigate risks and develop robust incident response plans.
The letter points out that even basic cybersecurity precautions, such as changing default passwords and updating software, can significantly reduce the risk of a cyberattack.
Resources and Assistance
The EPA and CISA offer guidance, tools, training, resources, and technical assistance to help water systems enhance their cybersecurity.
Additionally, private sector associations like the American Water Works Association, the National Rural Water Association, and the Water Information Sharing and Analysis Center provide support.
State Homeland Security advisors are also highlighted as valuable resources connected to Federal cybersecurity efforts.
Upcoming Convening and Task Force
The White House plans to invite state Environmental, Health, and Homeland Security Secretaries to a meeting to discuss improvements needed to protect the water sector from cyber threats.
This convening will address current Federal and state efforts, identify priority gaps, and emphasize the urgency of immediate action.
Furthermore, the EPA will establish a Water Sector Cybersecurity Task Force in collaboration with the Water Sector and Water Government Coordinating Councils.
This task force will focus on identifying critical vulnerabilities, challenges in adopting best practices, and strategies to reduce the risk of cyberattacks on water systems nationwide.
The White House and EPA hope that the initiatives outlined in the letter and future collaborative efforts will fortify water systems against cyber threats.
The administration appreciates the gravity of the situation and calls for a concerted effort to safeguard mission-critical water utility operations.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.