White House Warns of Widespread Cyber Threats to Drinking Water

Water and wastewater systems across the United States are being targeted with disabling cyberattacks that could disrupt the critical lifeline of clean and safe drinking water.

That’s according to a White House letter to U.S. governors requesting their partnership. Threats to water systems include Iranian and Chinese state-sponsored threat actors, who have carried out malicious cyberattacks targeting the U.S. critical infrastructure.

“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector, but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” it said. “As the sector risk management agency identified in Presidential Policy Directive 21 for water and wastewater systems, the U.S. Environmental Protection Agency (EPA) is the lead federal agency for ensuring the nation’s water sector is resilient to all threats and hazards. Partnerships with state, local, tribal and territorial governments are critical for EPA to fulfill this mission. In that spirit of partnership, we ask for your assistance in addressing the pervasive and challenging risk of cyberattacks on drinking water systems.”

Who’s Targeting Drinking Water?

Hacking groups associated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC) have targeted drinking water systems, disabling operational technology (OT) that used a default manufacturer password. In addition, the Chinese threat actor Volt Typhoon has infiltrated information technology (IT) of U.S. critical infrastructure systems, including drinking water, to pre-position themselves for disrupting their operations in the event of conflicts.

Related:CPX 2024: 'Terrifying' Future with AI, Gen AI and Security

The White House has invited state environmental, health and Homeland Security agencies to a meeting to discuss safeguarding the water and wastewater critical infrastructure. The meeting will highlight U.S. government efforts to improve cybersecurity in the water sector, discuss gaps, and urge immediate action from states and water systems.

Casey Ellis, founder and chief strategy officer at Bugcrowd, said means, opportunity, and motive are driving these attacks.

Bugcrowd's Casey Ellis

“The opportunity comes from the generally poor state of critical infrastructure cybersecurity, the difficulty involved in getting these types of systems modernized, and the means comes from the relative ease with which this type of attack can often be performed,” he said. “Motive-wise, it varies by threat actor, and this can be seen in the White House advisory. The IRGC are actively engaged in disruptive attacks, while [Chinese threat actors] are more focused on establishing persistence for potential future use.”

Related:Zero Trust World: ThreatLocker Providing an Action Plan for Preventing Attacks

Relying On Old Software and Operating Systems

In general, these systems rely on old software and operating systems, which often have known and unpatched vulnerabilities, Ellis said. This isn't unique to water and wastewater; it's a systemic challenge in OT/industrial control systems(ICS)/critical infrastructure (CI) cybersecurity.

“For these types of systems, the traditional ‘apply patches, implement multifactor authentication (MFA), use strong passwords' guidance doesn't necessarily work due to their age,” he said. “In general, operators should be ensuring proper segmentation of control systems from corporate systems, and from the internet, and should be speaking to their middle-ware providers to get product-specific guidance.”

Chad Graham, computer incident response team (CIRT) manager at Critical Start, said compared to other critical infrastructures, such as financial services and energy, the U.S. water and wastewater systems often lag behind.

“This is partly due to these sectors having historically received less focus and investment in cybersecurity, making them potentially more vulnerable to attacks,” he said. “The severe implications of a successful cyberattack on water and wastewater systems cannot be overstated. An attack of this nature has the potential to disrupt the supply of clean and safe drinking water or impair wastewater treatment processes, posing significant public health and environmental risks. The disruption of these essential services could lead to immediate public health crises and long-term environmental damage.”

One Promising Approach to Protect Systems

One promising approach that water and wastewater systems are adopting involves distinctly separating their IT and OT environments, Graham said.

“This approach is critical for mitigating the risk of a comprehensive system compromise,” he said. “If an IT system is breached, the OT system — which directly manages the physical components of the water infrastructure — remains protected, and vice versa.”

Roger Grimes, data-driven defense evangelist at KnowBe4, said this is “great news to read, but everyone has to wonder if it will do any good.”

KnowBe4's Roger Grimes

“I mean, is there an organization on this planet, much less water system companies, that don't know about the threat of hacking and malware programs?” he said. “This memo is essentially saying, ‘Do what you should have already been doing for the last three decades.’ Will this memo reach a single person and make them do a single thing that makes their company more resilient to hacking? I don't think anyone knows, but there's always hope.”

Too Many Recommendations

Part of the problem is there are just too many recommendations, often containing hundreds of controls that every company is supposed to implement perfectly, Grimes said.

“It just can't be done,” he said. “And the facts are that 70-90% of all successful data breaches involve social engineering that has gotten past every other technical defense, and 33% of all successful hacking involves unpatched software and firmware. Those two root hacking methods account for 90-99% of all success hacking. And if defenders just concentrated on mitigating those two threats, far better than they do today, hackers and malware would have a much harder time being successful. But defenders don't appropriately focus on those two things. And it is that fundamental misalignment that allows hackers and malware to be as continually successful as they have always been. And for sure this memo is not changing that equation much."