Federal Warning Highlights Cyber Vulnerability of US Water Systems

  /     /     /  
Publicated : 23/11/2024   Category : security


Federal Warning Highlights Cyber Vulnerability of US Water Systems


The White House urged operators of water and wastewater systems to review and beef up their security controls against attacks by Iran- and China-based groups.



A new White House advisory about threat groups from Iran and China targeting US water and wastewater systems has once again focused attention on the continuing vulnerability of the sector to disruptive cyberattacks.
The warning — signed jointly by EPA administrator Michael Regan and Jake Sullivan, President Bidens national security advisor — calls on operators of water and water treatment facilities to urgently review their cybersecurity practices. It advocates the need for stakeholders to deploy cyber-risk mitigation controls where needed and to implement plans to prepare for attacks and to respond and recover from them.
In many cases, even basic cybersecurity precautions — such as resetting default passwords or updating software to address known vulnerabilities — are not in place and can mean the difference between business as usual and a disruptive cyberattack, the White House warned.
The memo stems from concerns over attacks like the one last November on the
Municipal Water Authority of Aliquippa in Pennsylvania
by an Iranian state-sponsored group called CyberAv3ngers. In that attack, the
threat actor gained control of and shut down
a Unitronics programmable logic controller (PLC) for monitoring and regulating water pressure in two townships. Though the attack ended up not posing any risks to the drinking water and water supply in the two communities, it served as a warning of the potential damage that adversaries could cause by targeting water systems.
This weeks White House memo warned of such attacks as an ongoing threat against water and wastewater systems around the country. It attributed the attacks specifically to cyber threat actors tied to the Iranian governments Islamic Revolutionary Guard Corps (IRGC) and to Volt Typhoon, a China-backed threat actor associated with numerous recent attacks on US critical infrastructure.
Regan and Sullivan described attacks by Iranian threat actors as designed to disrupt and degrade critical operational technology (OT) at US water facilities. They characterized Volt Typhoons attacks as more of an attempt to position themselves well for future disruption activity in response to any potential military conflict or rising geopolitical tensions between the US and China.
The US Cybersecurity and Infrastructure Agency (CISA), the FBI, the NSA, and security vendors and researchers have recently issued a flurry of warnings on Volt Typhoon attacks against critical infrastructure targets. The warnings include one about the threat actor hitting
multiple US electric utilities
, exploiting
vulnerable Cisco routers
to build its attack network, and
pre-positioning itself
for potentially crippling attacks on US critical infrastructure in future.
Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices, the White House said in its memo this week.
Nick Tausek, lead security automation architect at Swimlane, says compared to sectors like power generation, water infrastructure receives much less attention from a cybersecurity standpoint. Its not hard to imagine a nation-state actor using this historically easy target to simultaneously degrade water safety in multiple areas of the country during a future conflict, he says. Such attacks can erode trust in institutions, harm the populace, and stretch resources away to deal with the water crisis.
Casey Ellis, founder and chief strategy officer at Bugcrowd, says many of the systems within water infrastructure facilities — like elsewhere within the OT and ICS environments — rely on old software and operating systems that often have known vulnerabilities in them. For these types of systems, the traditional apply patches, implement MFA, use strong passwords guidance doesnt necessarily work, due to their age, he says. In general, Ellis says, operators should be ensuring proper segmentation of control systems from corporate systems and from the Internet and should be speaking to their middleware providers to get product-specific guidance.
Ellis, like other security experts, points to the damage that a successful attack can cause as a reason for threat actor interest in water systems. He points to a 2021 incident at a water treatment facility in Oldsmar, Fla. where
the level of lye
in the citys water supply suddenly rose to toxic levels before being detected, as one example of the concern surrounding attacks on water systems. Though the Oldsmar incident resulted from a simple employee error, rather than from a
cyberattack as initially thought
, it highlighted the susceptibility of some US water facilities to potentially catastrophic cyber-related failures.
In part to prevent such attacks, the Cybersecurity for Rural Water Systems Act of 2023
allocated $7.5 million to funding security
for rural water systems as among the most vulnerable to disruptive attacks. The money will fund for the next several years what is known as a Circuit Rider Program, where cybersecurity experts will travel to small rural water facilities and help them implement stronger cybersecurity.
Chad Graham, CIRT manager at Critical Start, says in many instances, operators themselves have begun implementing change. One promising approach that water and wastewater systems are adopting involves distinctly separating their information technology (IT) and operational technology (OT) environments, he says. The approach is critical for containing damage in an environment where a successful attack can disrupt the supply of safe drinking water or impair wastewater treatment processes. The disruption of these essential services could lead to immediate public health crises and long-term environmental damage.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Federal Warning Highlights Cyber Vulnerability of US Water Systems