Summary Bullets:
• US government officials are advising state governors that drinking water and wastewater systems are under threat.
• Recent attacks carried out by bad actors working on behalf of the Iranian and Chinese governments used different techniques to breach critical infrastructure; the government expects more to come. A letter from the White House included a link to guidance on what security controls water systems should have in place.
Concerns about attacks on critical infrastructure are nothing new, but recent events have shown that bad actors are becoming more brazen. A survey conducted by Mitre and the Harris Corporation in February 2024 found that 81% of 2,046 Americans reported concern about critical infrastructure safety and security. Drinking water and wastewater systems are particularly attractive targets to attackers because they are essential to the population and typically under-secured.
While the level of alarm about threats to critical infrastructure has ratcheted up in recent years, there is evidence that bad actors are becoming bolder in their efforts to permeate water systems. This month, the White House sent a letter to all 50 US governors alerting them to specific threats from two nation-state-affiliated bad actors. The White House noted that the Iranian Government Revolutionary Guard Crops (IRGC) and a state-sponsored hacking group, Volt Typhoon, associated with the People’s Republic of China, both breached US water systems within the last six months. In the case of the former, the IRGC capitalized on a facility’s failure to change the default manufacturing password to access a water system. The prevailing thought on Volt Typhoon is that the cybercriminals breached critical infrastructure to pre-position themselves to disturb water systems in the event of political or military conflicts.
As with other sectors that underinvest in information technology, water systems and other areas of critical infrastructure, such as energy utilities, often lack essential IT and operational technology security controls. These utilities also often lack personnel resources to identify and mitigate security incidents. The letter included links to Environmental Protection Agency and Cybersecurity and Infrastructure Agency (CISA) resources specifically targeted toward water systems.
These resources include training, consultative help, tools, and technical support, starting with the most basic security practices. The agencies outline foundational training and controls including training staff to recognize and dodge phishing schemes, the use of strong passwords, multi-factor authentication, and ensuring software is up to date. The EPA and CISA-provided toolkit also offer vulnerability assessment support and promises to adapt and add new resources for water and wastewater utilities based on the changing threat landscape.