The White House issued a stark warning to U.S. governors regarding the escalating risk of “disabling” cybercrimes targeting water systems nationwide. In a recent letter, National Security Advisor Jake Sullivan and Environmental Protection Agency (EPA) Administrator Michael Regan noted the urgent need for enhanced cybersecurity measures to fortify over 150,000 utilities across the country.
These attacks pose a devastating risk to the critical infrastructure, potentially disrupting the vital supply of clean and safe drinking water and imposing substantial costs on affected communities. The letter pointed to specific instances of cyber assaults, led by the China-sponsored hacking group Volt Typhoon and the Iranian Islamic Revolutionary Guard Corps.
In June 2023, nGuard provided a deep dive into Volt Typhoon’s activities and later addressed their five-year persistent access to U.S. infrastructure. These intrusions into critical infrastructure, such as drinking water systems, raise concerns of pre-positioning for disruptive actions in potential geopolitical conflicts. Similarly, the Iranian-linked Cyber Av3ngers targeted water facilities, exploiting easy vulnerabilities like unchanged default passwords, a basic oversight with catastrophic implications. Developing system architecture with defense in depth, coupled with regularly monitoring and updating software, promotes proactivity and can strengthen organizations against comparable attacks.
Despite ongoing efforts by federal agencies like the EPA to bolster cybersecurity regulations for the water sector, challenges persist due to legal obstacles, technical incapacity, and resource constraints. The EPA’s proposed cybersecurity rules faced setbacks, leaving the water sector without binding regulations to address cybersecurity vulnerabilities effectively.
Recognizing the gravity of the situation, the White House is mobilizing efforts to address these threats comprehensively. Federal agencies and state officials are urged to collaborate in identifying vulnerabilities, implementing best practices, and preparing for potential security incidents. In direct response, the EPA is establishing a Water Sector Cybersecurity Task Force to formulate “near-term actions and long-term strategies” to secure water systems nationwide against evolving cyber assaults.
When evaluating your organization’s fortifications, consider the following high impact mitigation steps:
- Identify gaps within infrastructure and daily operations through third-party strategic analysis.
- Inventory technology assets and perform backups on a regular basis.
- Prioritize the logging and monitoring of critical infrastructure to detect new and existing vulnerabilities.
- Implement microsegmented architecture and perform penetration segmentation validation testing to validate defense in depth and decrease lateral movement within internal systems.
- Simulate real attacks and test plans to build resilience and durability of your own response team.
- Develop and update policies, centered around nationally recognized frameworks, such as CMMC and NIST.
- Audit configurations, controls, and network segmentation to ensure key devices are up to date and functioning as intended.
As the nation and its respective communities confront these challenges, it becomes imperative to prioritize vigorous cyber footholds and adopt rigorous practices to protect essential services. The White House’s warning is a blaring call for immediate action to solidify defenses and ensure the resilience of utility providers in the wake of emerging cyber strikes.
