White House warns of cyberattacks targeting critical US water systems

Facepalm: It's been the subject of fearmongering for years – decades, even: elite hackers from hostile foreign nations targeting public utilities on US soil in a bid to bring modern society to its knees (or at the very least, make daily life a bit more stressful). According to a recent letter from the White House, the nightmare scenario may be coming to fruition.

EPA Administrator Michael S. Regan and National Security Advisor Jake Sullivan warned of cyberattacks striking drinking water and wastewater systems across the US. The duo highlighted an ongoing attack from actors affiliated with the Iranian Government Islamic Revolutionary Guard Corps that targets facilities that have neglected to change a default manufacturer password on certain operational technology used.

A separate attack involves Volt Typhoon, a state sponsored cyber group associated with the People's Republic of China. According to the warning, Volt Typhoon has successfully compromised multiple critical infrastructure systems in a manner that is not consistent with traditional cyber espionage. Agents believe the group is actively pre-positioning themselves to disrupt infrastructure operations in the event of military conflict or geopolitical tensions.

The White House said water systems are an attractive target for hackers in part because local facilities often lack the resources and technical knowhow required to implement stringent cybersecurity measures.

In the face of continued threats, it is imperative that state leaders ensure that all water system operators assess their current cybersecurity practices to identify any significant vulnerabilities, remedy obvious shortcomings, and exercise plans to prepare for, respond to, and recover from a cyberattack.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency's (CISA) has published a list of actions that water system operators can take to improve their defenses against such attacks. Suggestions include changing default passwords right away, reducing exposure to the public-facing Internet, and conducting cybersecurity awareness training. Operators are also advised to conduct regular cybersecurity assessments, take inventory of tech assets, and back up all IT systems.

Image credit: Nils Huenerfuerst, Jani Brumat