CIPHER BRIEF EXPERT INTERVIEW — Cybersecurity experts are alarmed by a recent spate of attacks against U.S. water facilities carried out by individual hackers and others tied to Russia, China and Iran. The concern follows cyberattacks at local water facilities in different parts of the country – none of which did major damage, but all of which have raised fears of longer-term plans to disrupt one of the most important elements of the nation’s critical infrastructure. The Cipher Brief published a deep-dive analysis on the subject Sunday; among those featured was Matt Hayden, former Assistant Secretary of Homeland Security for Cyber, Infrastructure, Risk and Resilience Policy. Hayden spoke with Cipher Brief Managing Editor Tom Nagorski.
We publish that conversation in its entirety here, with only minor edits for clarity.
EXPERT Q&A
The Cipher Brief: What is the cyber threat to U.S. water systems? And how worrisome is this to you and to the cyber community?
Hayden: The water sector is seeing direct attacks that we haven’t seen in other sectors because of a large number of reasons. There are at least five publicly attributed attacks in the last two years in which we have seen nation-state and criminal actors on the networks of a water treatment plant in which they are, let’s just call it, seeing what they can do. And not having devastating effects, but compromising the system’s remote capabilities and navigating those very sensitive controls. And so with that being said, the water sector has a lot of challenges ahead of it.
They are dealing with technology that wasn’t designed with the internet to be connected to it in mind. The remote monitoring tools that have been connected to the internet don’t have a real strong role-based security platform associated with them. So you can’t just append them to things like Zero Trust. And so they have a very poor defensible position and then they are what government would refer to as resource-poor, target-rich infrastructure. So they just can’t raise rates because a lot of them are in municipal environments or just have local price challenges where they can’t just charge more to provide more security for those platforms.
Everyone wants water to come out of their tap and it to be clean and safe. At the same time, you have an adversary or set of adversaries that now sees them as very viable targets. And so they are looking through the attack surface for these different organizations. They’re scattered across the country. Some are very modern, some are very secure, but a majority of them do have these challenges to overcome.
The Cipher Brief: What is the long-term game for somebody who’s coming in and, as you say, “seeing what they can do”?
Hayden: So there are two schools of thought on this. There’s the criminal actors that are looking to see what data is there to exfiltrate or what controls they can take hostage, and try to drum up a ransomware payment or some level of exploitation that leads to them either being able to brag about compromising a system or do a traditional ransomware exfiltration.
The actors of the nation-state level is the living off the land technique. This is what we saw with Volt Typhoon, in which Chinese actors were leveraging the security tools that are available to monitor the platform to deceive and hide their tracks, and to set up shop on that network and to identify the resources and the services that are available should they choose, at a time of their choosing, to leverage disruption or destruction of that critical infrastructure.
And they’re not stopping with just water. The U.S. government has come out and said, the Chinese government is targeting our water system, and it’s definitely something with extreme attention paid to it.
The Cipher Brief: If there were to be a full-blown conflict at some point between the United States and China, this probing that the Chinese are doing would give them, as you say, leverage to do something really nasty in the event of a conflict.
Hayden: Exactly. There’s degrees of confidence that establish our foreign adversaries or strategic competitors’ decision-making. One of those items is their ability to disrupt our way of life domestically. And if you can take out our critical infrastructure, you can disrupt our way of life domestically. And so those are targets that are used as diplomatic pawns, as well as elements of an engagement that may lead itself up to types of critical infrastructure being targeted for future kinetic activities, such as we see with the potential of the Taiwanese Strait.
The Cipher Brief: Some of the targets they have chosen – whoever’s doing this – have been very remote, and small. Mandiant reported last week on attacks in rural Texas – really rural, a small town called Muleshoe. What’s the thinking there? Is that again just because it’s easier to breach? Why and how do they find these places to attack?
Hayden: So this is where the AI story comes in. We’re starting to see technology in the hands of bad actors to leverage kind of that phone book, if you will, of where vulnerabilities exist and where they’re ripe for exploiting. So you may have a bad actor that has a set of tools and they open up these AI-driven engines to “vulnerability scan” a lot of our critical infrastructure. And when they find an organization that has that low-hanging fruit of vulnerabilities that are available, that you can see through the internet, they’re going to exploit them. And so it’s not necessarily a targeting of a rural environment, as much as it is a targeting of an unlocked door. They’re looking to find any organization that doesn’t have that cyber hygiene down pat or has a known vulnerability that’s screaming to be exploited. They’re going to go there first. And it being a water treatment plant allows them to have that operational technology footprint to go in and test whatever tools they want inside that perimeter.
The Cipher Brief: Just for the lay person, the door is open, to use your metaphor. How does it work? How do they get in and what do they do once they’re inside the door?
Hayden: Not speaking specifically to the incident in Texas, but just in general, there are what we refer to as edge devices. This could be the modem in which you connect to the internet. This could be your Cisco firewall or insert-brand-name-here firewall. They all require service packs, updates, patching. And when these patches become available, they identify what vulnerability they fix.
And if you’re not up to date on patching your edge devices or securing them or mitigating them from risk of people getting into them, they can be used against you. And so devices that connect to the internet that aren’t routinely patched and mandated with updates shine like a bright light in a dark cave of vulnerable assets that can be taken by individuals looking for them.
The Cipher Brief: Let’s put you in the position of being a governor and having to deal with this. What do you do now that you’ve been told that this should be near the top of your concerns – and you now have to worry about cybersecurity in every water facility in your state?
Hayden: Post 9-11, we have had funds for both security to involve cyber as well as physical security to the states. DHS has grants that are administered through FEMA. Now there’s cyber grants that are a component of that, that are partially worked with the CISA angle. So there are funds coming to the states to create kind of that software umbrella, if you will, and to try and set up practices and security operations at a state level and at local levels using federal dollars or state dollars, and that match the effort and really protect as much as they can across their state for what they consider critical.
And so it’s not the feds directly providing those services, but it states, and that gives a governor confidence because those people already are there. It’s not like you’re telling a governor you have to now create this program to support cybersecurity in your state. They’ve been there for over a decade, some cases two. And so they have the vehicle in place at the state level, from an emergency management and security operations level, to really step forward and to prioritize this much-needed sector that needs a lot of help.
A lot of it is just assessment. The states will come in and do quick assessments, like we have this many water facilities. When we run our vulnerability scanning software at the state level against them, we see these bright lights. This is what has to be fixed. The fastest, these are what require us to actually buy something to fix it. These are the ones where we can just patch it and let’s go forth and conquer.
Adding this as a priority does incur cost. It does spread thin the workforce, but it is doable and it’s a necessary step. They’re not on their own though. The resources that come to the states aren’t the only thing that the feds provide. There are shared services. So, as a member of critical infrastructure, they do get free shared services from DHS and DHS’s CISA, which are the vulnerability scanning services for themselves. They get a daily report of what they look like from the outside world.
And you can build a relationship because there’s regional folks across the board. You have your FBI liaisons, you have your CISA liaisons, you have your state folks. There are individuals wherever you are that you need to build a reputation and a relationship with because the last thing you want to do is to build that relationship under pressure of an incident.
The Cipher Brief: Let’s say a facility has already been infiltrated. I assume part of this work is also aimed at cleaning that up.
Hayden: Yes, and incident response is a big key. So there’s going to be help also from the FBI, the state level and others. A lot of different organizations do incident response in different ways where they have individual groups on retainer, they may have an insurance partner that supports incident response. And a lot of that is based on the collection of what just was done and what needs to be formulated in a report, so for after action and for cleanup.
But one of the things I’d like to hit on is some of these efforts are happening because the actor themselves doesn’t believe there’s going to be retaliation. So there’s a gap. There’s a deterrence element to this that is missing. And the United States government has the ability and tools and expertise and great people to really take on strategic deterrents across the diplomatic spectrum.
That includes leveraging our assets across, for example, U.S. Cyber Command and others, to take a look at those that target our critical infrastructure and respond in a public way so that these actors not only know that they are going to be investigated by the Department of Justice, they are going to be identified as criminals who provide these services. They’re also going to have a challenge using that equipment and that technique again, because we are leveraging a deterrent in the direction of the people who created this problem in the first place.
In the past there was conversations with leaders. There were a myriad of opportunities and options to put forward when a cyber attack happened. You didn’t have to respond cyber for cyber. But we’ve come to this point to where now there needs to be a deterrent level where effective campaigns against bad actors strengthen the U.S. protections of critical infrastructure, because you’ll know if you do this, you’re going to get burnt. And until that happens, there’s going to be people who believe that they can get away with this. And it’s just got to come to a stop.
The Cipher Brief: How important is it that the public here be made aware of all the things we’ve been talking about?
Hayden: It’s essential. Having the public support as well as information on these types of activities is really going to drive an understanding of the strategic posture that the U.S. government has with both adversaries as well as partners alike. If we’re doing our jobs of communicating the threats and risks from strategic competitors as well as adversaries, there wouldn’t be as much ambiguity towards those types of subject areas. So it’s definitely a challenge. There is a lot of noise right now. If you turn on your news, you see court cases and you see campuses with severe challenges around protests and you see a lot of noise in that area. It’s hard to cut through, but this is definitely a subject that has to stay strategically forward for the national security community and those that rely on it.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
