The White House and Environmental Protection Agency (EPA) have written to state governors asking for their urgent help to boost the cyber-resilience of the water sector, in the fact of escalating attacks.
EPA administrator Michael Regan and national security advisor Jake Sullivan invited state environmental, health and homeland security secretaries to a virtual meeting tomorrow to discuss the matter.
The duo believe there’s an urgent need to fill gaps in current federal and state efforts to promote cybersecurity best practice in the sector, citing recent incursions by Chinese and Iranian threat actors.
In December 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) revealed Iran’s Islamic Revolutionary Guard Corps (IRGC) was behind a series of strikes against water plants. They were able to compromise default credentials on Unitronics programmable logic controllers (PLCs) to display anti-Israel messages.
Arguably more serious were revelations two months later that a Chinese threat group known as Volt Typhoon had pre-positioned itself in various critical national infrastructure (CNI) networks including the water and wastewater sector. The US agencies that penned the alert claimed that the end goal could have been to launch destructive attacks against US CNI in the event of a military conflict.
The group used a large botnet of compromised small office/home office (SOHO) routers to carry out attacks on CNI networks, and once inside used living-off-the-land techniques to stay hidden, they claimed.
“We need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices to identify any significant vulnerabilities, deploy practices and controls to reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to, and recover from a cyber incident,” the letter to state governors read.
“In many cases, even basic cybersecurity precautions – such as resetting default passwords or updating software to address known vulnerabilities – are not in place and can mean the difference between business as usual and a disruptive cyber-attack.”
Help is At Hand
The letter noted that water and wastewater companies have a wealth of resources they can draw on to help them in these efforts. These include “guidance, tools, training, resources and technical assistance” from CISA and the EPA, and private sector bodies like the American Water Works Association, the National Rural Water Association, and the Water Information Sharing and Analysis Center.
“Additionally, EPA will engage the Water Sector and Water Government Coordinating Councils to form a Water Sector Cybersecurity Task Force, which will build on recommendations from your environmental, health and homeland security secretaries,” the letter concluded.
“The Task Force will identify the most significant vulnerabilities of water systems to cyber-attacks, the challenges that water systems face in adopting cybersecurity best practices, and near-term actions and long-term strategies to reduce the risk of water systems nationwide to cyber-attacks.”