Drinking water systems under attack in the US, White House warns

Cyber attackers are hitting drinking and wastewater systems throughout the US, the White House and Environmental Protection Agency has warned.

In a letter by EPA administrator Michael Regan and National Security Adviser Jake Sullivan issued on Tuesday (18 March) – state governors were warned that water facilities must improve their defences against the increasing risks from and consequences of these attacks.

The letter highlighted two recent attacks carried out by malicious state-backed actors on drinking water systems.

The first attack on US drinking water systems was carried out by threat actors affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC) while a second came from a Beijing-baked cyber group known as Volt Typhoon.

The Biden administration is worried that China could use a hacking campaign to disrupt critical infrastructure in the event of a geo political conflict with the US.

“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” the letter stated.

Governors were urged to ensure their states review their current cyber security practices to identify risks and vulnerabilities and were reminded that even if basic practices were not in place “it could mean the difference between business as usual and a disruptive cyber attack”.

According to Debrup Ghosh, senior manager at Synopsys Software Integrity Group, the current attacks targeting water and wastewater systems should serve as “ a stark reminder” that the nation’s critical infrastructure is made up of cyber-physical systems that can be targeted “and exploited by hackers.

Organisations of all types, he added, including public utilities, are software companies—and as such, they need to take cybersecurity hygiene and software supply chain security seriously.

FBI issues critical infrastructure hack warning on legacy tech

At a minimum, Ghosh advises, critical infrastructure organisations need to adopt basic software security best practices such as automated security testing, periodic penetration testing, and vulnerability management to avoid becoming “low-hanging fruit” for attackers.

“More specifically,” he added, “these organisations should have constant visibility into their software supply chain so they can respond quickly to vulnerabilities and threats and prevent disruptions or breaches,” Ghosh added.

The cyber security adviser adds that maintaining a Software Bill of Materials (SBOMs) for mission-critical systems is a good first step and one that is emphasised in the Executive Order on Improving the Nation’s Cybersecurity.

“All organisations, including government entities, should consider SBOMs in the broader sense as a risk management system.

“The practices, processes, and activities involved in creating and maintaining an SBOM should be standardised so they are predictable and repeatable to drive better risk management for organisations.”