SUBSCRIBER+ EXCLUSIVE INTERVIEW — Last week The Cipher Brief published a look at the threat to the nation’s water supply posed by cyberattacks – an issue brought to the fore by a series of recent hacks against local water facilities in different parts of the U.S. While the attacks have caused limited damage, Cipher Brief experts warned that some of the perpetrators – particularly those tied to nation states including Russia, China and Iran – are probing local water systems for weakness, with the likely aim of gaining a cyber-foothold should they wish to carry out more damaging attacks in the future.
Warnings about the issue have come from FBI Director Christopher Wray, the Environmental Protection Agency, and from the White House, which has asked the nation’s governors to draw up plans by June 28 to deal with cybersecurity risks in their states’ water systems.
Addressing these concerns – for water and other elements of critical infrastructure – is the core work of the Cybersecurity and Infrastructure Security Agency (CISA), which was created in 2018 and now operates with more than 3,000 employees and a budget of roughly $3 billion. Cipher Brief Managing Editor Tom Nagorski spoke to Jermaine Roebuck, CISA’s Associate Director for Threat Hunting. The job title suggests the work at hand; essentially, Roebuck’s work involves hunting down such threats, and looking for ways to counter them.
Roebuck said workers at many of these local water facilities have no idea why they might be targeted, and lack the resources and knowledge needed to guard against an attack. But he said he was cautiously impact that nightmares can be avoided. “I'm confident that progress is being made," Roebuck said of efforts to bring cybersecurity to these facilities. "I can't really tell you that a year from now or six months from now that we're going to totally be secure, but I am confident that we are taking all the necessary and appropriate steps to address it.”
This Cipher Brief interview has been edited for length and clarity.
The Cipher Brief: Could you give us your level of concern about the issue? It sounds on the one hand, to the layperson, super alarming. On the other, the impact has been local and without great damage. Where on that spectrum is your level of concern or alarm over these hits on the water supply?
Roebuck: I'm going to try to give you three distinct concerns that we have, just to frame it. Over the last several years, we’ve directly engaged with dozens of water and wastewater sector entities. And by and large we found that many of these organizations don't have the resources to effectively practice and implement basic and recommended cybersecurity defense practices. Water facilities often have internet-facing critical control system components that have weak authentications. So that means no passwords or default passwords, and that's really allowing threat actors to use very unsophisticated methods to gain access.
Naturally that level of access could potentially cause harm to our environment, water availability, and there are a number of different associated systems that actually depend on a constant supply of water. So we've seen that numerous threat actors have taken advantage, and are starting to target these critical infrastructure organizations by taking advantage of that lack of resources.
Out of the People's Republic of China, you have a cyber threat actor that we are calling Volt Typhoon. They're looking to pre-position themselves on OT (operational technology) networks including within water and wastewater sectors. And that's for the purposes of conducting disruptive and destructive attacks in the event of a conflict.
Recently we’ve got the Russia activists, going by the name Cyber Army of Russia Reborn. They're taking credit right now for continued attacks across critical infrastructure to include water and wastewater sectors, and have claimed attacks against entities within the energy sector.
Then we’ve got the Iranian threat actor. They go by the name Cyber Avengers. They've already attacked numerous water and wastewater entities across the U.S.
The Cipher Brief: You mentioned that you've been in touch or engaged with dozens of these facilities around the country. Is that in response to attacks – or is that just looking around proactively, to find out where some problems and weaknesses might be?
Roebuck: Most of them are a response to either targeting or attacks that we have seen. Obviously there's some level of engagement we do as well on a more proactive front. So it's a bit of a mixture.
The Cipher Brief: All these actors are looking to wreak havoc or get a foothold into our critical infrastructure. Why go after water?
Roebuck: Water I believe is one of the most visible. If you're able to shut off the water supply to the public, obviously that will create some amount of discord and disenfranchisement of folks. The other part of it is that this sector is what we found to be one of our weaker sectors in terms of cybersecurity best practices. At a lot of the entities that run these systems, cyber isn't their first job. Their first job is to get these systems up and running and to focus on availability. Many of these folks, they're not necessarily paying attention to, or have limited visibility into, the threats that they're facing.
So I think it's a combination of a few things, that includes the ease of the ability to target that attack surface, and the ease of being able to get into those environments.
The Cipher Brief: And given that there are, I imagine, hundreds of these facilities, that's hundreds of potential targets, and they're not federal facilities, how do you begin to go about addressing all of this? Does it mean getting in touch with and finding all these weak links, or is there some other overriding approach you take?
Roebuck: No. And there's actually thousands of these entities all across the United States. So it's a pretty tough challenge. There's a few ways that we're approaching it. One of them, we have cybersecurity advisors and physical security advisors that are spread out throughout the continental United States. And their job is to interface with a lot of these organizations. But obviously that doesn't cover all the ground that we need to cover.
So here at CISA, what we've been focused on is trying to figure out, How do we meet these organizations where they live? And essentially, that means a lot of these organizations are probably in rural towns. So they mostly only look at their local news or interact with their vendors. Somehow we've got to reach those target audiences to get this message out, and that's really what we've been focused on here recently.
The Cipher Brief: And do you think they themselves know what they don't know? Do they know their weaknesses? Is the team that runs a facility, let's say somewhere in Oklahoma, aware of what's happened in rural Texas or rural Pennsylvania or wherever?
Roebuck: I don't get a sense that they are, unless they're paying attention to the mainstream media, where most of this information gets communicated. The only other vantage point that they have is through the different ISACs (information sharing and analysis centers). And those ISACs really attempt to get that information and that message down. But then again, if cyber isn't their first job, then it is kind of tough to get down to that level of communication.
The other challenge that we have is that many of these rural municipalities, they don't think that they’re targets, they couldn't fathom why a nation state or any cyber actor would try to penetrate their environments. So some of it comes quite a shock to them that they are in fact part of the attack surface.
The Cipher Brief: The point you make about public information and raising public awareness – that's come up in a lot of our own reporting. Is there a way to blast the message to all these places, a wakeup call, to say you need to be aware of the risk and the threat and so forth?
Roebuck: I'm not aware of something akin to a public broadcast system. I think what we've been talking about behind the scenes is, how do we use that regional footprint, so those cybersecurity advisors to go to the local outlets and push that information to those outlets. So we'll have a better chance and a better shot at reaching some of those not so mainstream audiences, if you will.
The Cipher Brief: As I'm sure you're aware, the White House put out a directive to governors last month, saying basically, You need to put cybersecurity risks and the water supply at the top of your concerns. What is a governor meant to do with that?
Roebuck: I think if they don't already have the mechanisms within the state and local government institutions, the best thing to do is kind of direct them towards the organizations that do have that focus area and do have the resources. On the CISA front, we’ve been proactively working with and partnering with the EPA and partnering with the FBI and other international organizations to really compile the information that we think these entities need in the water and wastewater sector. And we've been publishing that guidance on our CISA.gov website. It includes a lot of really practical steps, basic steps that these entities can take. So I think that from the governor and state and local perspective, if they could continue to carry that message and get that down to those local audiences, I think that'll help move the needle.
The Cipher Brief: When you say steps they can take, do you mean in the event of an attack, or to prevent an attack?
Roebuck: Both. Obviously before the attack happens, we would much prefer them to be positioned to protect themselves and defend themselves. So we have guidance on our website that discusses that – as in, here's some of the practical steps that you need to take prior to a cyber incident. And then even during a cyber incident, we do have an incident-response guidance that we push out as well.
The Cipher Brief: We’ve heard all kinds of nightmare scenarios. The possibility of the water supply getting contaminated or failing entirely, and of course the highest-level national security officials in the country have warned that in the event of a US-China conflict, China may use this as a lever. With all that as a backdrop, how confident are you and your team in terms of the ability to avoid those nightmares?
Roebuck: I think we're doing everything that we can right now to kind of prepare the community at large, and not just the water sector, in the event of a catastrophe such as that. As much as we can do now in terms of getting the word out and working with the managed service providers, working with the vendors to help them put out better products and to configure systems more securely is the place that we want to be. Because mind you, a lot of these (water facilities), they're depending on the vendor to give them a product that is secure. So we're working very hard with those vendors to not give these local municipalities an OT device that has a default password that happens to be the same default password everyone else is using.
And then, oh, by the way, they're putting that same default password on their website. We're saying, don't do that. Let's do something different. So it’s not just getting the word out to these local facilities, this problem's much broader. We have to address the problem much more holistically, working with the vendors, working with the service providers, and working with the downstream partners as well.
The Cipher Brief: So are you confident?
Roebuck: I'm confident that progress is being made. I can't really tell you that a year from now or six months from now that we're going to totally be secure, but I am confident that we are taking all the necessary and appropriate steps to address it.
And I'm very passionate about making sure that your audience understands the importance of taking some of the most basic cybersecurity steps more seriously, such as changing those default passwords. If we can take away some of these unsophisticated and really easy methods that these actors are leveraging, that makes it that much better for us and moves the needle a bit for the defensive side.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief.
