The EPA is also convening a task force to take on some of the challenges facing the sector around cyber security efforts.
The White House sent a stark warning to U.S. governors on Monday that “disabling” cyber attacks targeting water systems are occurring throughout the United States, in what is the Biden administration’s latest plea to state authorities to direct more resources and attention to protecting water utilities.
In their letter, the White House and the Environmental Protection Agency invited state officials to a Thursday meeting to discuss how to improve digital defenses for the more than 1,50,000 utilities in the U.S. The EPA is also setting up a water sector cyber security task force that will outline some of the biggest challenges the sector faces and develop strategies to defend against the threat.
“Disabling cyber attacks are striking water and wastewater systems throughout the United States. These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities,” National Security Advisor Jake Sullivan and EPA Administrator Michael Regan wrote in the letter.
The letter pointed to the China-sponsored hacking group Volt Typhoon’s targeting of critical infrastructure sectors like drinking water in the U.S. as an example of the threat. National security officials have been sounding the alarm that Volt Typhoon’s intrusion suggests that China is pre-positioning itself to carry out disruptive attacks in the event of a conflict over Taiwan.
Speaking to reporters last week ahead of his retirement, NSA Cyber security Director Rob Joyce warned that federal investigators are continuing to discover victims of Volt Typhoon’s hacking campaign and that the full scope of the group’s spree remains unclear.
According to Joyce, the campaign has two primary objectives: being able to disrupt U.S. communication with and military deployment to East Asia in the event of a conflict between the United States and China, and to disable critical U.S. systems and incite widespread panic in a crisis.
Monday’s letter points out that water systems face attacks by other groups as well, including opportunistic attacks by a group known as the Cyber Av3ngers — an outfit linked to the Iranian Islamic Revolutionary Guard Corps. That group was responsible for attacks on devices made by the Israeli firm Unitronics that impacted several water facilities in the U.S.
While there is no evidence that the attacks were specifically targeting the water sector, the Iran-linked hacking group was only able to breach the devices due to the failure of Unitronics and the water facilities to change the default password. The letter said that basic cyber security precautions like changing the default password “can mean the difference between business as usual and a disruptive cyber attack.”
The EPA had attempted to impose more stringent cyber security rules for water utilities, but backed off that effort last year amid legal challenges to the effort.
The EPA initiative relied on a creative approach to use the agency’s sanitation authorities to impose some measure of cyber security mandates on a water industry that currently lacks binding rules for how to protect its digital systems.
The move was part of a larger attempt to add more stringent cyber security regulations to critical infrastructure sectors, many of which are unregulated when it comes to cyber security. In the absence of the EPA rules, the water sector continues to have no binding cyber security rules.
Major portions of the water sector are notoriously underfunded to secure themselves against state-backed threats, and experts have called for the need for additional funds in order to improve defenses.
Monday’s letter points to existing resources for the sector through both the EPA and the Cybersecurity and Infrastructure Security Agency, and notes that the upcoming meeting will highlight efforts by the government to promote secure practices as well as discuss the need for additional action.
Source: https://cyberscoop.com/epa-water-threats-governors/
Image : https://cyberscoop.com/wp-content/uploads/sites/3/2024/01/GettyImages-1206831649.jpg?resize=1264,843
