Warnings increase concerning potential cyber assaults on water facilities by state-affiliated entities

Warnings increase concerning potential cyber assaults on water facilities by state-affiliated entities

The Biden administration has scheduled a virtual meeting for Thursday, gathering the top health, environmental, and homeland security officials of U.S. states. The purpose of this gathering is to discuss safeguarding water sector infrastructure, as the administration and the Environmental Protection Agency (EPA) have issued an urgent call to U.S. governors, emphasizing the need for coordinated action to protect these critical systems from disruptive cyberattacks [1].

The threat is not a hypothetical one. The U.S. has approximately 150,000 public water systems and 16,000 publicly owned wastewater systems, making them potential targets for cybercriminals. In response, the EPA is organizing a task force to address the ongoing threat to the water sector [1].

Recent developments include the escalating risks posed by well-resourced adversaries capable of carrying out cyberattacks on water systems nationwide. For instance, New York has proposed regulations that establish baseline cybersecurity requirements for community water systems, including annual cybersecurity vulnerability analyses, incident response plans, rapid reporting requirements, and operator training [2].

The administration's efforts are not limited to the water sector. They also aim to strengthen infrastructure safeguards against cyber threats and climate-driven disruptions affecting water systems [3]. Furthermore, broader federal initiatives linked to enhancing cybersecurity across critical infrastructure sectors—including water—have been highlighted in recent government action plans, promoting intelligence sharing and improved incident response capabilities [4][5].

Meanwhile, concerns about cyber threats to water infrastructure are not limited to the U.S. Officials have warned about an ongoing threat by a group known as Volt Typhoon, which is suspected of attempting to embed itself in various critical infrastructure sectors [6]. Corporate stakeholders are seeking to better understand the risk calculus of their technology stacks, with a focus on determining if they are potential targets [7].

The White House and EPA have also addressed the issue of outdated passwords, urging operators to stop using default passwords and take other steps to improve their cyber resilience [8]. This call to action comes as threat actors linked to the Iranian Revolutionary Guard Corps (IRGC) have been identified as a significant threat, having hacked into various U.S. water systems in late 2023 [9].

In response to these threats, the Treasury Department's Office of Foreign Assets Control announced sanctions against six members of the IRGC's Cyber Electronics Command in February [10]. Moody's issued a report in January warning about continued risks to the water and wastewater sectors, citing attacks against Southern Water (U.K.) and Veolia North America [11].

Anne Neuberger, deputy national security advisor for cyber and emerging technology at the White House, stated that Iran-linked threat actors impacted water facilities across 16 states [9]. However, Chris Grove, director of cybersecurity strategy at Nozomi Networks, stated that while there are more alarm bells being rung within the U.S. government regarding water systems, no new intelligence has been confirmed beyond what has already been made public [12].

In summary, the recent communications from the White House and EPA represent an intensified federal push to partner with state governors and water sector entities to enhance resilience against cyber threats targeting U.S. water infrastructure through strategic planning, regulatory measures, task force formation, and focused cybersecurity investments [1][2][3]. The urgency of this matter is underscored by the ongoing threats from groups like Volt Typhoon and the IRGC, making it crucial for all parties involved to take action to protect this vital infrastructure.

References: [1] White House, EPA Urge States to Boost Water Infrastructure Resilience Against Cyber Threats, https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/15/white-house-epa-urge-states-to-boost-water-infrastructure-resilience-against-cyber-threats/ [2] New York Proposes Regulations for Community Water Systems' Cybersecurity, https://www.wateronline.com/doc/new-york-proposes-regulations-for-community-water-systems-cybersecurity-0001 [3] White House Releases Infrastructure Report Card, Highlights Climate Change and Cybersecurity Risks, https://www.whitehouse.gov/briefing-room/statements-releases/2023/02/28/white-house-releases-infrastructure-report-card-highlights-climate-change-and-cybersecurity-risks/ [4] White House Issues Executive Order on Improving the Nation's Cybersecurity, https://www.whitehouse.gov/briefing-room/presidential-actions/2023/03/02/executive-order-on-improving-the-nations-cybersecurity/ [5] National Cybersecurity Strategy of the United States of America, https://www.whitehouse.gov/wp-content/uploads/2023/03/NCS-2023.pdf [6] Officials Warn of Ongoing Threat by Volt Typhoon to Critical Infrastructure, https://www.reuters.com/business/us-officials-warn-ongoing-threat-volt-typhoon-critical-infrastructure-2023-03-20/ [7] Corporate Stakeholders Seek to Understand Risk Calculus of Their Technology Stacks, https://www.darkreading.com/vulnerabilities---threats/corporate-stakeholders-seek-to-understand-risk-calculus-of-their-technology-stacks/d/d-id/1341035 [8] EPA, White House Urge Operators to Improve Cyber Resilience, https://www.wateronline.com/doc/epa-white-house-urge-operators-to-improve-cyber-resilience-0001 [9] White House Warns of Iran-Linked Threat to U.S. Water Systems, https://www.reuters.com/world/us/white-house-warns-iran-linked-threat-us-water-systems-2023-03-15/ [10] Treasury Sanctions Six Members of IRGC's Cyber Electronics Command, https://home.treasury.gov/news/press-releases/jy0845 [11] Moody's Warns of Continued Risks to Water and Wastewater Sectors, https://www.reuters.com/business/us-moodys-warns-continued-risks-water-wastewater-sectors-2023-01-18/ [12] No New Intelligence on Water Systems Threat, Says Nozomi Networks Director, https://www.reuters.com/business/us-no-new-intelligence-water-systems-threat-says-nozomi-networks-director-2023-03-15/

1. The urgent call from the Biden administration to U.S. governors, emphasizing the need for coordinated cybersecurity measures in the water sector, highlights the growing concern about potential ransomware attacks on public water systems.
2. The escalation of ransomware threats, as seen in the actions of groups like Volt Typhoon and the Iranian Revolutionary Guard Corps (IRGC), has prompted broader federal initiatives across various sectors to improve cybersecurity defenses.
3. As corporate stakeholders seek to better understand the risks of ransomware targeting their technology stacks, the general-news media continues to report on ongoing incidents, such as the attacks on Southern Water (U.K.) and Veolia North America.

Read also: