Posted on 03/20/2024 7:57:14 AM PDT by Heartlander
The White House sent a stark warning to U.S. governors on Monday that “disabling” cyberattacks targeting water systems are occurring throughout the United States, in what is the Biden administration’s latest plea to state authorities to direct more resources and attention to protecting water utilities.
In their letter, the White House and the Environmental Protection Agency invited state officials to a Thursday meeting to discuss how to improve digital defenses for the more than 150,000 utilities in the U.S. The EPA is also setting up a water sector cybersecurity task force that will outline some of the biggest challenges the sector faces and develop strategies to defend against the threat.
“Disabling cyberattacks are striking water and wastewater systems throughout the United States. These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities,” National Security Advisor Jake Sullivan and EPA Administrator Michael Regan wrote in the letter.
The letter pointed to the China-sponsored hacking group Volt Typhoon’s targeting of critical infrastructure sectors like drinking water in the U.S. as an example of the threat. National security officials have been sounding the alarm that Volt Typhoon’s intrusion suggests that China is pre-positioning itself to carry out disruptive attacks in the event of a conflict over Taiwan.
Speaking to reporters last week ahead of his retirement, NSA Cybersecurity Director Rob Joyce warned that federal investigators are continuing to discover victims of Volt Typhoon’s hacking campaign and that the full scope of the group’s spree remains unclear.
According to Joyce, the campaign has two primary objectives: being able to disrupt U.S. communication with and military deployment to East Asia in the event of a conflict between the United States and China, and to disable critical U.S. systems and incite widespread panic in a crisis.
Monday’s letter, points out that water systems face attacks by other groups as well, including opportunistic attacks by a group known as the Cyber Av3ngers — an outfit linked to the Iranian Islamic Revolutionary Guard Corps. That group was responsible for attacks on devices made by the Israeli firm Unitronics that impacted several water facilities in the U.S.
While there is no evidence that the attacks were specifically targeting the water sector, the Iran-linked hacking group was only able to breach the devices due to the failure of Unitronics and the water facilities to change the default password. The letter said that basic cybersecurity precautions like changing the default password “can mean the difference between business as usual and a disruptive cyberattack.”
The EPA had attempted to impose more stringent cybersecurity rules for water utilities, but backed off that effort last year amid legal challenges to the effort.
The EPA initiative relied on a creative approach to use the agency’s sanitation authorities to impose some measure of cybersecurity mandates on a water industry that currently lacks binding rules for how to protect its digital systems.
The move was part of a larger attempt to add more stringent cybersecurity regulations to critical infrastructure sectors, many of which are unregulated when it comes to cybersecurity. In the absence of the EPA rules, the water sector continues to have no binding cybersecurity rules.
Major portions of the water sector are notoriously underfunded to secure themselves against state-backed threats, and experts have called for the need for additional funds in order to improve defenses.
Monday’s letter points to existing resources for the sector through both the EPA and the Cybersecurity and Infrastructure Security Agency, and notes that the upcoming meeting will highlight efforts by the government to promote secure practices as well as discuss the need for additional action.
An attack before the election resulting in either a delayed election or “alternate” voting methods?
No way! /s
Not to worry. Top men are on the case. Top government bureaucrats who absolutely hate the country are on the case.
And why does the EPA have anything to do with this?
That’s one thing I hate about being in town- no private well-
won’t happen at our property....unless hackers can manipulate the pump handle
“Target the GOP voting districts” according to a government leak.
These bureaucrats study more, warn more, and do less. They are worthless.
I’ve known for years that our water supplies would be the easiest and most effective places to sabotage the coundry.
So what are the apparatchiks toing? Telling the STATES to get busy.
There is a real risk of serious damage to power generating equipment from cyberattacks. I suspect the biggest threat against water supplies is ransomware attacks. Indeed...
Ransomware Hit SCADA Systems at 3 Water Facilities in U.S., October 15, 2021, SecurityWeek.
Several U.S. government agencies issued a joint alert on Thursday to warn organizations in the water and wastewater sector about ongoing cyberattacks. The alert also describes three previously unreported ransomware attacks that impacted industrial control systems (ICS) at water facilities.
The alert was issued by the FBI, CISA, the EPA and the NSA. The agencies are aware of attacks — launched by both known and unknown threat actors — against the IT and OT (operational technology) networks of water facilities.
The agencies noted that while cyber threats are increasing across critical infrastructure sectors, the latest alert does not intend to suggest that the water and wastewater sector is targeted more than other sectors.
...The third newly disclosed attack took place in August 2021. Threat actors deployed a piece of ransomware named Ghost on the systems of a water plant in California. The ransomware was discovered roughly a month after the initial breach, after
“Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities. The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.”
“...untreated water or a sewage overflow”
Exactly right. And that could go on for a LONG time. In some existing attacks, the operators have had to revert to manual control while the ICS/SCADA systems were restored. That meant a lot more operators walking around and probably the loss of of a lot of measurements of water quality, chemical injection, flow rates, etc. I’d hate to be flying blind without instrumentation trying to operate a plant.
I was given the "title" of System Security and the Office and Board Members would dismiss ALL of the items that were vulnerable because they didn't want to spend the money !!!
The most difficult thing I had to do was try to make the DAMNED GM and Bookkeeper's understand that we were vulnerable to attacks on our Systems from multiple levels from physical attacks and SCADA attacks.
After getting all of the necessary information to increase our System Security shot down for budget requests for the first year I finally told them that I was going to resign from the "title" because it was a waste of My time gathering information but never given the budget for any of it.
I never liked the GM, Bookkeeper and Highly Ridicules and a few years after I left that System I heard via the grapevine that that little group had been scamming Money to the tune of $250,000.00+ and were keeping it in an Account at the same Bank as the rest of the Accounts for the System. That's why I was always denied funding to Secure the System...
Seeing similar, if all the people worried about an EMP understood the risks in and holes in critical infrastructure and energy related to legacy control systems they’d probably all crap their pants.
I’ve been privy to things over the last few years that have motivated me to the point I don’t want to even drive near certain facilities.
Yeah...lucky, as a Girl Scout in the 60s I learned how to build a “latrine”
FACT about “treated water’ no one wants to disclose:
When a human used drugs, about 1/2 of the excrement & other liquids THAT leave the body go into the “treatment” plant.
THERE IS NO KNOWN FILTER OR PROCESS THAT CAN CLEAN UP THAT WATER.
Then rest stays in the human
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.