The water sector is failing in its duty to resist attacks from foreign adversaries. That’s the blunt message from the Environmental Protection Agency and the President’s advisor on national security.

“We appreciate your attention to this important issue,” is the passive-aggressive signoff. In today’s SB Blogwatch, we avoid the K-word.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: DEF CON advice.

“Disrupt critical infrastructure”
State governments and water facilities must improve their defenses against the threat, the White House and Environmental Protection Agency warned US governors. [In a] letter to the governors from EPA Administrator Michael Regan and national security adviser Jake Sullivan … said, “even basic cybersecurity precautions” are not in place at water facilities.
…
In November, hackers breached industrial equipment at multiple US water facilities to display an anti-Israel message on the equipment, according to US officials. The Biden administration blamed the Iranian government. … Chinese state-backed hackers have also infiltrated US water facilities, according to US officials. The Biden administration worries Beijing could … disrupt critical infrastructure in the event of a conflict.

“Water Sector Cybersecurity Task Force”
The White House has invited state environmental, health, and homeland security agencies to a meeting to discuss safeguarding the water and wastewater critical infrastructure. Set for Thursday, March 21, at 1pm EST, the one-hour virtual meeting will highlight US government efforts to improve cybersecurity in the water sector, discuss gaps, and urge immediate action from states and water systems.
…
Threats to water systems, the letter reads, include … groups associated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC) [and] Chinese threat actor Volt Typhoon. … The White House also announced that the EPA will work with water sector partners to form a Water Sector Cybersecurity Task Force aimed at identifying “near-term actions and strategies to reduce the risk of water systems nationwide to cyberattacks.” The EPA and … CISA provided guidance and … resources to help water systems improve their resilience.

“Basic cybersecurity precautions”
Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices. … Partnerships with State, local, tribal, and territorial governments are critical for EPA to fulfill this mission. In that spirit of partnership, we ask for your assistance in addressing the pervasive and challenging risk of cyberattacks on drinking water systems.
…
In many cases, even basic cybersecurity precautions – such as resetting default passwords or updating software to address known vulnerabilities – are not in place. … We appreciate your attention to this important issue and thank you for your partnership.

A bit late? The CISA fact sheet recommends:
* Empower cybersecurity teams to make informed resourcing decisions
* Effectively apply detection and hardening best practices
* Receive continuous cybersecurity training and skill development
* Develop comprehensive information security plans and conduct regular tabletop exercises
* Establish strong vendor risk management
* Ensure performance management outcomes are aligned to the cyber goals

It seems to me that unless all of this is already in place and operational there ain’t a hope in hell of protecting against the advised threat. How is it that critical infrastructure infosec is so utterly inoperative?

To be fair, none of the Boomers in Congress seem to appreciate the awful state of the cybersec posture of US governmental agencies. This has been absolutely an abject bipartisan failure for years, and it drives me abso******lutely insane how little anyone on any side refuses to give it the attention it deserves.

It’s going to take people dying before anything is done, and even then, it probably still won’t be enough. ***holes.

This may be a dumb question, but—uh—have we thought about maybe not having critical infrastructure connected to the Internet at all? Because—I mean—that seems like the easiest solution.
…
With all the ransomware and all the disruption it seems like it would be far cheaper to hire Greg to monitor the different levels on site and be available through a phone call if needed.

Quickly: Unplug all control systems that are connected to the Internet. If for some incredibly stupid reason the software won’t run unless it phones home to mommy, replace it—even if you have to downgrade to older stuff that worked perfectly well.

It’s disheartening that data diodes aren’t widely deployed to allow for monitoring of critical infrastructure while making ingress of control (and thus hacking) physically impossible. We’ve known how to do this stuff securely forever, yet here we are.

My personal theory of how we got here is thus: in the late 1970s, it was decided not to push the recent advances in capability based security out to the wider world, as it would make the NSA’s job just a bit harder.

Makes me glad we are on a well, controlled by old school switches and relays.

Recent Articles By Author