Federal Warning Highlights Cyber Vulnerability of US Water Systems

A new White House advisory about threat groups from Iran and China targeting US water and wastewater systems has once again focused attention on the continuing vulnerability of the sector to disruptive cyberattacks.

The warning — signed jointly by EPA administrator Michael Regan and Jake Sullivan, President Biden's national security advisor — calls on operators of water and water treatment facilities to urgently review their cybersecurity practices. It advocates the need for stakeholders to deploy cyber-risk mitigation controls where needed and to implement plans to prepare for attacks and to respond and recover from them.

A Call to Action

"In many cases, even basic cybersecurity precautions — such as resetting default passwords or updating software to address known vulnerabilities — are not in place and can mean the difference between business as usual and a disruptive cyberattack," the White House warned.

The memo stems from concerns over attacks like the one last November on the Municipal Water Authority of Aliquippa in Pennsylvania by an Iranian state-sponsored group called CyberAv3ngers. In that attack, the threat actor gained control of and shut down a Unitronics programmable logic controller (PLC) for monitoring and regulating water pressure in two townships. Though the attack ended up not posing any risks to the drinking water and water supply in the two communities, it served as a warning of the potential damage that adversaries could cause by targeting water systems.

This week's White House memo warned of such attacks as an ongoing threat against water and wastewater systems around the country. It attributed the attacks specifically to cyber threat actors tied to the Iranian government's Islamic Revolutionary Guard Corps (IRGC) and to Volt Typhoon, a China-backed threat actor associated with numerous recent attacks on US critical infrastructure.

Regan and Sullivan described attacks by Iranian threat actors as designed to disrupt and degrade critical operational technology (OT) at US water facilities. They characterized Volt Typhoon's attacks as more of an attempt to position themselves well for future disruption activity in response to any potential military conflict or rising geopolitical tensions between the US and China.

The US Cybersecurity and Infrastructure Agency (CISA), the FBI, the NSA, and security vendors and researchers have recently issued a flurry of warnings on Volt Typhoon attacks against critical infrastructure targets. The warnings include one about the threat actor hitting multiple US electric utilities, exploiting vulnerable Cisco routers to build its attack network, and pre-positioning itself for potentially crippling attacks on US critical infrastructure in future.

An Attractive Target

"Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices," the White House said in its memo this week.

Nick Tausek, lead security automation architect at Swimlane, says compared to sectors like power generation, water infrastructure receives much less attention from a cybersecurity standpoint. "It's not hard to imagine a nation-state actor using this historically easy target to simultaneously degrade water safety in multiple areas of the country during a future conflict," he says. Such attacks can "erode trust in institutions, harm the populace, and stretch resources away to deal with the water crisis."

Casey Ellis, founder and chief strategy officer at Bugcrowd, says many of the systems within water infrastructure facilities — like elsewhere within the OT and ICS environments — rely on old software and operating systems that often have known vulnerabilities in them. "For these types of systems, the traditional 'apply patches, implement MFA, use strong passwords' guidance doesn't necessarily work, due to their age," he says. In general, Ellis says, operators should be ensuring proper segmentation of control systems from corporate systems and from the Internet and should be speaking to their middleware providers to get product-specific guidance.

Ellis, like other security experts, points to the damage that a successful attack can cause as a reason for threat actor interest in water systems. He points to a 2021 incident at a water treatment facility in Oldsmar, Fla. where the level of lye in the city's water supply suddenly rose to toxic levels before being detected, as one example of the concern surrounding attacks on water systems. Though the Oldsmar incident resulted from a simple employee error, rather than from a cyberattack as initially thought, it highlighted the susceptibility of some US water facilities to potentially catastrophic cyber-related failures.

Defense Measures

In part to prevent such attacks, the Cybersecurity for Rural Water Systems Act of 2023 allocated $7.5 million to funding security for rural water systems as among the most vulnerable to disruptive attacks. The money will fund for the next several years what is known as a Circuit Rider Program, where cybersecurity experts will travel to small rural water facilities and help them implement stronger cybersecurity.

Chad Graham, CIRT manager at Critical Start, says in many instances, operators themselves have begun implementing change. "One promising approach that water and wastewater systems are adopting involves distinctly separating their information technology (IT) and operational technology (OT) environments," he says. The approach is critical for containing damage in an environment where a successful attack can disrupt the supply of safe drinking water or impair wastewater treatment processes. "The disruption of these essential services could lead to immediate public health crises and long-term environmental damage."