US National Security Advisor Jake Sullivan warns of 'digital Pearl Harbor' targeting infrastructure
White House warns of 'disabling cyberattacks' by Iran and China
Chinese state-sponsored group attacks on US critical infrastructure may be preparation for war, hints US National Security Advisor Jake Sullivan
The White House has issued a warning to water companies across the US following a number of cyber-attacks on water and waste water infrastructure that, it claims, were carried out by state-sponsored groups linked with Iran and China.
"Drinking water and wastewater systems are an attractive target for cyber attacks because they area lifeline critical infrastructure sector, but often lack the resources and technical capacity to adopt rigorous cybersecurity practices," warned the letter, which was co-signed by Jake Sullivan, President Biden's National Security Advisor.
In particular, it highlighted the exploitation of Unitronics programmable logic controllers used in water and waste water systems, pointing the industry towards an alert issued by the US Cybersecurity & Infrastructure Agency in November last year.
"Threat actors affiliated with the Iranian government Islamic Revolutionary Guard Corps(IRGC) have carried out malicious cyberattacks against United States critical infrastructure entities, including drinking water systems.
"In these attacks, IRGC-affiliated cyber actors targeted and disabled a common type of operational technology used at water facilities where the facility had neglected to change a default manufacturer password."
It also highlighted the threat posed by Volt Typhoon, a state-sponsored hacking group linked with China. It has compromised the IT of "multiple critical infrastructure systems, including drinking water", warned the letter.
Very often, though, the immediate cause was lack of diligence on the part of those responsible for the infrastructure and its security – such as simply failing to change default passwords.
"In many cases, even basic cybersecurity precautions – such as resetting default passwords or updating software to address known vulnerabilities – are not in place and can mean the difference between business as usual and a disruptive cyberattack."
Digital Pearl Harbour
The letter even hints that the cyber-attacks may be in preparation for a conflict in Asia, with tensions rising over Chinese government threats to invade Taiwan.
"Volt Typhoon's choice of targets and pattern of behavior are not consistent with traditional cyber espionage. Federal departments and agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflicts."
The increase in attacks by Chinese state-sponsored hacking groups point to a potential ‘digital Pearl Harbor' should conflict break out over Taiwan, with the US pledged to come to the aid of the island should China attempt an all-out invasion.
The letter therefore urged water companies to up their game.
"We need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices to identify any significant vulnerabilities, deploy practices and controls to reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to, and recover from a cyber incident."
The letter will be backed up by a meeting that includes Homeland Security in order to arm-lock the infrastructure organisations into improving their security posture.
"The EPA [Environmental Protection Agency] will engage the water sector and Water Government Coordinating Councils to form a Water Sector Cybersecurity Task Force…
"The Task Force will identify the most significant vulnerabilities of water systems to cyberattacks, the challenges that water systems face in adopting cybersecurity best practices, and near-term actions and long-term strategies to reduce the risk of water systems nationwide to cyberattacks."
Digital D-Day
In the UK, the National Cyber Security Centre warned in November 2023 that critical infrastructure security was struggling to keep up with the threats from malicious actors.
Over the past year, Southern Water has been the target of cyber attacks by the Black Basta ransomware group. Personal information and financial data belonging to an estimated five-to-10 per cent of customers had been compromised in the breach. The attack also led to the theft of Southern Water employees' passport scans, ID card data and other personal information.