It sounds like the start of a bad joke: Digital trespassers from China, Russia, and Iran break into US water systems.
But as White House cybersecurity chief Anne Neuberger reminded Billington Cybersecurity Summit attendees on Tuesday, it's not a joke.
"Water is the only sector where we've seen three different countries attack water facilities in the United States," explained Neuberger.
The Russia and Iran-linked intrusions were attributed to hacktivists, as opposed to state-sponsored crews. Some threat intel teams have suggested the Russian military's notorious Sandworm group was behind cyberattacks on US and European water plants that, in at least one case, caused a tank to overflow.
Meanwhile, the feds have repeatedly blamed the Chinese government for the Volt Typhoon activity spotted on critical infrastructure systems – including water supplies.
And while there's been "no consequential impact" to date from these break-ins, "at some point, somebody's going to land in a place, in critical infrastructure, that's going to matter," former National Security Agency cyber boss Rob Joyce warned during the RSA Conference earlier this year.
Water infrastructure – just like power plants, electricity substations, manufacturing facilities, and other critical infrastructure – relies on operational technology (OT) systems and processes, which are notoriously hard to secure. They aren't updated as frequently as IT systems because they typically need to operate 24/7, and are often distributed across multiple locations, connecting to various networks. This also makes spotting and mitigating security threats more difficult.
"The biggest point of vulnerability in water infrastructure is the reliance on legacy OT systems," observed Randy Watkins, chief technology officer at security firm Critical Start, adding that these older devices are often outdated, and "not designed with cybersecurity in mind."
The Iranian hacktivist crew that exploited Israeli-made programmable logic controllers (PLCs) used in "multiple" water systems across the US did not need to use sophisticated tactics. They likely broke into the facilities by using default passwords for internet-accessible PLCs.
The biggest point of vulnerability in water infrastructure is the reliance on legacy OT systems
"These systems often control critical functions – such as water purification and distribution – and are increasingly connected to the internet, exposing them to remote cyberattacks," Watkins told The Register. "Threat actors have been known to exploit these vulnerabilities to manipulate water systems, potentially causing physical harm or contamination."
There have been attempts to plug the security holes in this especially leaky sector, but so far they've gone nowhere. According to Neuberger, the White House is working on a second attempt at minimum cybersecurity standards for water after the first rules were dumped in response to states' lawsuits.
Round two will likely be met with more pushback. Plus, the industry faces some severe challenges when it comes to securing the water supply and treatment facilities.
"Think of electric utilities," Ron Fabela, field chief technology officer of ICS/OT security firm XONA, told The Register. "Every time they're attacked, they say, well, in the US, there's no national grid. And water utilities are even worse – it's tens of thousands of smaller, little companies. Yes, water is critical to people. Can you attack and disrupt the national water supply? No."
The lack of a national water supply and infrastructure also means disparate pools of funding and talent. A major metropolitan area — the Los Angeles County water districts, for example — is going to have a great deal more money and expertise to implement strong cybersecurity practices compared to smaller utilities across the country.
This is probably why it was easy for criminals to compromise the water infrastructure equipment in Muleshoe, Texas – population just over 5,000 – causing a tank to overflow.
CyberArmyofRussia_Reborn's Telegram channel later claimed credit for disrupting human machine interfaces (HMI) controlling the operational technology (OT) systems.
Water systems in the US remain "target-rich, cyber-poor entities," Andrew Costis, engineering manager of the adversary research team at AttackIQ, told The Register.
Still, "the repercussions of cyberattacks on these systems extend beyond operational disruptions, posing significant risks to both human health and the environment through compromised access to safe drinking water and wastewater management," he added.
Tsunami of challenges
Water facilities are much more attractive to would-be attackers than other forms of critical infrastructure.
Nick Tausek, lead security automation architect at infosec biz Swimlane, warned: "Compared to power generation, for example, water infrastructure receives much less attention. But as we have seen with cities like Flint, disruption to the water supply's safety – whether from malfeasance or cyberattack – can have extremely long-lasting and dramatic repercussions."
"It's not hard to imagine a nation-state actor using this historically easy target to simultaneously degrade water safety in multiple areas of the country during a future conflict to erode trust in institutions, harm the populace, and stretch resources away to deal with the water crisis," Tausek told The Register.
- EPA flushes water supply cybersecurity rule after losing legal fight with industry, states
- Kremlin's Sandworm blamed for cyberattacks on US, European water utilities
- US warns Iranian terrorist crew broke into 'multiple' US water facilities
- America's enemies targeting US critical infrastructure should be 'wake-up call'
EPA strikes out
The first push for minimum security standards began back in March 2023, when the Environmental Protection Agency (EPA) started requiring states to evaluate the cybersecurity of their public water systems' OT environments.
The feds cited increased attacks in multiple states – including the Oldsmar, Florida attempted poisoning – and noted that many of these systems "have failed to adopt basic cybersecurity best practices and consequently are at high risk of being victimized by a cyberattack."
A month later, state attorneys general of Arkansas, Iowa, and Missouri sued the EPA to stop the rule, arguing that it "intrudes on states' sovereignty," according to the complaint [PDF].
In October 2023, the EPA threw out the rule, citing the lawsuit as the reason.
The EPA's planned audit of states' water systems' cybersecurity posture "would have been an essential tool to shore up security around critical infrastructure and ensure clean and safe drinking water for residents of the United States," Tausek lamented.
'Reliance on public funding'
But any type of minimum security standard would have been difficult to implement and enforce.
"Some reasons why this area is getting so much pushback are likely due to the reliance on public funding, and how that funding gets distributed amongst the water companies," AttackIQ's Costis explained. "There are also likely to be gaps in regulations which may lead to inconsistencies with regards to security measures, as well as an overall slower rate of security program adoption and improvement over time."
According to XONA's Fabela, this is where the US Cybersecurity and Infrastructure Security Agency (CISA) has a role to play. "CISA is not regulatory, but it does have traction providing guidance," he said.
He added that more programs to provide grants and loans to rural water utilities that don't otherwise have the resources to implement better security practices are needed: "Using the money stick as opposed to the regulation stick."
There are also some fairly simple technical solutions to the problems, which CISA has encouraged the water and wastewater sector to implement as well. These include changing default and compromised passwords and PINs, changing the ports and securing remote access via a VPN or other technology.
"Just saying 'make sure these things aren't remotely accessible' is not realistic," Fabela noted, adding that while administrators need to be able to monitor water pumps and check chemical levels remotely, this doesn't mean that attackers should be able to scan for and find vulnerable IoT devices easily.
"Dear lord, get your stuff off of Shodan please," he urged. "It may not be a national threat, but it's a national embarrassment." ®