A recent letter from the White House states that critical infrastructure, specifically water and wastewater systems, is a major target for foreign state-sponsored threat actors. In this letter, the White House requested the cooperation of governors and invited state environmental, homeland security and health agencies to a meeting to discuss the cybersecurity of the nation's critical infrastructure. This meeting sought to detail federal government cybersecurity improvement plans in the water sector. It also aimed to determine the security gaps in the water sector and encourage prompt action from the states.
Security leaders weigh in
Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit:
“Nation-state actors have been targeting critical infrastructure for years to posture and prepare cyber weapons and capabilities for escalation and capabilities for a time and place when it is strategically advantageous for them to utilize in an attack. For example, this was seen with attacks by Russian with their attack into Georgia, attacking critical infrastructure week prior to conventional armed forces attacking, facing little to no resistance, with sickness and dysentery set in for many.
“US water and wastewater systems are at risk with various forms of governance and authority behind state, local, federal, and commercial entities responsible for management of facilities, where some have largely ignored security practices. This is in sharp contrast to adversaries that are organized and managed by a government, rather than commercial and government cooperatives. This results in a cyber information warfare comparative where adversaries are attempting to compromise each, with one attempting to gain more of a foothold and have more command and control over the other than what is lost within their own infrastructure. How this dangerous game plays out in convention war, should things escalate, is where real risk is revealed, yet to be unveiled.
“Water shortages are significant, especially based upon geolocation, time of year, and supply chain realities. Take for example, middle of the summer, southern states, with no drinking water or supplies to the home. It's obvious a rush to stores for drinking water follows with various forms of fallout and/or mayhem. If wastewater is manipulated to create sickness and pollution in local waterways you then introduce large scale sickness and impact in major areas. Very quickly entire regions can be tossed into dangerous life-threatening situations where critical infrastructure is threatened and lives are at risk just by not having drinkable water, shortages of care facilities for the scale of support needed, possible power outages, and more, dependent upon the scale and swatch of critical infrastructure attacks imposed by adversaries at the time of attack.”
Casey Ellis, Founder and Chief Strategy Officer at Bugcrowd:
“Means, opportunity, and motive are driving these attacks. The opportunity comes from the generally poor state of critical infrastructure cybersecurity, and the difficulty involved in getting these types of systems modernized, and the means comes from the relative ease with which this type of attack can often be performed. Motive-wise, it varies by threat actor - and this can be seen in the White House advisory. The IRGC are actively engaged in disruptive attacks, while the PRC are more focused on establishing persistence for potential future use.
“In general, these systems rely on old software and operating systems, which often contain known and unpatched vulnerabilities. This isn't unique to water and wastewater, it's a systemic challenge in OT/ICS/CI cybersecurity. For these types of systems, the traditional "apply patches, implement MFA, use strong passwords" guidance doesn't necessarily work due to their age. In general, operators should be ensuring proper segmentation of control systems from corporate systems and from the Internet, and should be speaking to their middle-ware providers to get product-specific guidance.
“In the Oldsmer attack, all that was required was a phished username and password for a TeamViewer account, and I've personally seen these types of systems sitting on the open Internet. In these situations, the knowledge level needed is quite low. If a system is better secured at the fundamentals level, that's when an understanding of the control software, PLC exploitation (as mentioned in the CISA advisory), etc…becomes a requirement.”
Chad Graham, CIRT Manager at Critical Start:
“The drivers behind the attacks on U.S. water and wastewater systems are multifaceted, encompassing state-sponsored agendas and financial motivations. State-sponsored actors, like those from Iran and China, may target these infrastructures to disrupt essential services or as a form of geopolitical leverage. Simultaneously, ransomware operators attack these facilities for monetary gain, exploiting vulnerabilities to extort large sums.
“In comparison to other critical infrastructures, such as financial services and energy, the US water and wastewater systems often lag behind. This is partly due to these sectors having historically received less focus and investment in cybersecurity, making them potentially more vulnerable to attacks. The severe implications of a successful cyberattack on water and wastewater systems cannot be overstated. An attack of this nature has the potential to disrupt the supply of clean and safe drinking water or impair wastewater treatment processes, posing significant public health and environmental risks. The disruption of these essential services could lead to immediate public health crises and long-term environmental damage.
“One promising approach that water and wastewater systems are adopting involves distinctly separating their information technology (IT) and operational technology (OT) environments. This approach is critical for mitigating the risk of a comprehensive system compromise. If an IT system is breached, the OT system—which directly manages the physical components of the water infrastructure—remains protected, and vice versa.
“To defend against these multifaceted threats, water and wastewater facilities should implement rigorous cybersecurity measures. This involves segregating their networks through network segmentation, as well as the principle of least privilege, ensuring that users have only the access necessary for their roles. Additionally, it is crucial for facilities to regularly update all devices and systems while also changing default credentials to prevent unauthorized access.”