BOTTOM LINE UP FRONT — It’s a serious threat to the nation’s critical infrastructure that not enough people are talking about. That’s the view of cybersecurity experts who worry about a spate of recent attacks on local water supply facilities in the U.S. While the number of attacks is small and the damage has been limited, experts say that individual cybercriminals and nation-state actors looking for holes in America’s critical infrastructure have found an open door, all too easily, in an area of enormous concern.
The attacks on water utilities have come in small and remote communities – Alquippa, Pennsylvania and Muleshoe, Texas, to name two – a fact that may explain the limited public attention. But recent reports from cybersecurity experts and a warning from the White House have boosted the profile of the threat. Mandiant issued a report this month tying Russian hackers to a breach of water facilities in Texas; in December, the Cybersecurity and Infrastructure Security Agency (CISA) warned that CyberAv3ngers, a group linked to Iran, was “actively targeting and compromising” water facilities; and other attacks have been traced to China.
FBI Director Christopher Wray has warned repeatedly that hackers targeting water facilities might be laying the groundwork to destroy or damage these systems in the future. Experts say that in the case of China, hackers are scouting weak links in America’s infrastructure that the country may use in the event of a U.S.-China conflict - and that the water supply has proved to be among the weakest links.
Matt Hayden, a Cipher Brief expert and former Assistant Secretary for Cyber, Infrastructure, Risk and Resilience Policy at the Department of Homeland Security, says hackers have taken advantage of poor cybersecurity to “enter” water facilities and “park there,” as he put it. Hayden likened the hackers’ approach to the “targeting of an unlocked door...they're looking to find any organization that doesn't have that cyber hygiene down pat or has a known vulnerability that's screaming to be exploited, they're going to go there first.”
In March, the White House and the Environmental Protection Agency (EPA) asked the nation’s governors to draw up plans by June 28 to deal with cybersecurity risks in their states’ water systems. And earlier this month, Reps. Rick Crawford (R-Ark.) and John Duarte (R-Cal.) proposed a bill that would create a governing body to develop cybersecurity mandates for water systems and work with the EPA to enforce new rules.
The Cipher Brief spoke with Hayden and Rear Adm. (Ret.) Mark Montgomery, a senior director at the Center on Cyber and Technology Innovation (CCTI). The two agreed on the gravity of the threat, the need to publicize it more effectively, and they offered a range of ideas to fix or at least mitigate the problem. The biggest challenge, Montgomery said, was to upgrade protective measures; the nation’s water facilities are getting hit, he said, because of “a perfect storm of not ready.”
THE CONTEXT
- Cyber Av3ngers, a hacking group linked to Iran's Islamic Revolutionary Guards Corps (IRGC), hacked the Municipal Water Authority in Aliquippa, Pennsylvania in November 2023. The group accessed a pump that regulates pressure in the water system. Officials say the attack did not threaten water availability. The hackers targeted programmable logic controller software made by Israeli company Unitronics. The group threatened to continue hacking Israeli-made equipment.
- The Cyber Army of Russia Reborn (CARR) hacking group claimed responsibility for a hack of the water supply system of Muleshoe, Texas in January 2024. Mandiant said the Russian government-linked hacking group Sandworm may have been behind the attack, after linking social media accounts and servers used by CARR to Sandworm.
- On March 19, National security advisor Jake Sullivan and Environmental Protection Agency (EPA) Administrator Michael Regan warned that water and wastewater utilities are facing “disabling cyberattacks."
- The EPA and the White House are urging governors to develop plans to address cybersecurity risks in water systems by June 28.
THE EXPERTS
These interviews have been lightly edited for clarity.
The Cipher Brief: I'm not sure everybody's familiar with the scope of the problem. How bad is it and how worried are you?
Hayden: Regrettably, the threat is very real. The water sector is seeing direct attacks that we haven't seen in other sectors for a number of reasons. We have seen nation-state and criminal actors on the networks of water treatment plants in which they are, let's just call it, seeing what they can do. Not having devastating effects, but compromising the system's remote capabilities and navigating those very sensitive controls.
The water sector has a lot of challenges. They are dealing with technology that wasn't designed with the internet in mind. So they have a very poor defensible position, and then they are what government would refer to as resource-poor, target-rich type infrastructure. A lot of them are in municipal environments or have local price challenges where they can't just charge more to provide more security for those platforms. At the same time, you have adversaries that now see them as very viable targets.
Montgomery: When we first began writing on this, it kind of fell on deaf ears. We put out a pretty damning report, calling water the weak link of our national critical infrastructure because it supports so many other critical infrastructures, whether it's food, energy, port systems, it’s an important part of our manufacturing processes and obviously it's a critical part of public health and safety. And what we saw when we looked at it was that water was vulnerable. It combined this perfect storm of not ready. When you're ready, you have a good critical infrastructure, a good contribution to security by your utilities, a good performance support by the federal government, and then finally you have a good public-private collaboration. All three elements were missing.
Water is generally run through utilities that are county or local level. They don't have a lot of spare change to put into cybersecurity. It's a risk they've been willing to take as they heavily automated their systems over the last 20 years.
The second part is the federal agency responsible was the EPA, which underfunded and under-resourced its responsibilities as that sector management agency. To give you a perspective, they spent about $5 million in the kind of programs the Department of Energy spends $100 million on, for a similar kind of industry. So a 20 to 1 ratio.
So two, three years ago, we were saying this is a highly vulnerable area. We needed to get hot on this and frankly we stayed cold. As a result, it's remained extremely vulnerable.
The Cipher Brief: What do we know about the perpetrators. Who are the culprits here?
Montgomery: The first one is criminal actors. These are ransomwares or service providers that have sold ransomware tools to another criminal actor who then conducts a ransomware exploit.
The second group are nation states who are highly competitive with the United States, like China and Russia, who put malicious payloads or malware into systems for future use in a crisis or contingency. We found some Chinese malware in water systems as part of the Volt Typhoon exploit, but there've been others, and there's been warnings about Russia. And we've seen this recently with Iranians who have broken into systems and just left behind indications that “we’re there.” While they weren't there to disrupt the system, they were there to point out the weakness.
Hayden: The actors at the nation-state level, it’s the living-off-the-land technique. This is what we saw with Volt Typhoon, in which Chinese actors were leveraging the security tools that are available to monitor the platform, to deceive and hide their tracks, and set up shop on that network and identify the resources and the services that are available, should they choose to leverage disruption or destruction of that critical infrastructure. And the U.S. government, they have come out and said, the Chinese government is targeting our water system, and it's definitely something with extreme attention paid to it.
The Cipher Brief: And with the China example, was the game there was to probe around so that if it does come to some sort of US-China conflict, they don't have to start from scratch - they know they have a way in?
Montgomery: I would call it, in military terms, operational preparation of the battlefield. They were going around to our national critical infrastructures, probing for weaknesses, areas that they could penetrate, and then also installing malicious payloads so they could come back at a later date and initiate that payload, that malicious software, in a way to disrupt or degrade the performance of our national critical infrastructures. This is a pretty significant thing.
Hayden: If you can take out our critical infrastructure, you can disrupt our way of life domestically. And so those are targets that are used as diplomatic pawns, as well as elements of an engagement that may lead itself up to types of critical infrastructure being targeted for future kinetic activities, such as we see with the potential in the Taiwan Strait.
The Cipher Brief: Some of the targets have been very remote, and small. Mandiant reported attacks in rural Texas, a small town called Muleshoe. What's the thinking there? Is that just because it's easier to breach?
Hayden: This is where the AI story comes in. We're starting to see technology in the hands of bad actors to leverage that phone book, if you will, of where vulnerabilities exist and where they're right for exploiting. So you may have a bad actor that has a set of tools and they open up these AI-driven engines to “vulnerability scan” a lot of our critical infrastructure. And when they find an organization that has that low-hanging fruit of vulnerabilities that are available, that you can see through the internet, they're going to exploit them. And so it's not necessarily a targeting of a rural environment as much as it is a targeting of an unlocked door. And so they're looking to find any organization that doesn't have that cyber hygiene down pat or has a known vulnerability that's screaming to be exploited, they're going to go there first.
The Cipher Brief: And for the layperson, the door is open, to use your metaphor. How does it work? How do they get in and what do they do once they're inside the door?
Hayden: Not speaking specifically to the incident in Texas, but just in general, there are what we refer to as edge devices. This could be the modem with which you connect to the internet. This could be your Cisco firewall or insert-brand-name-here firewall. They all require service packs, updates, patching.
And if you're not up to date on patching your edge devices or securing them or mitigating them from risk of people getting into them, they can be used against you. Devices that connect to the internet that aren't routinely patched and mandated with updates shine like a bright light in a dark cave of vulnerable assets that can be taken by individuals looking for them.
The Cipher Brief: Let's turn – because this is potentially nightmarish stuff – to what can be done about it.
Montgomery: There’s a bunch we can do. It's industry, the government, and then it’s industry and government working together.
Obviously, industry can practice good cyber hygiene, good cyber projects. There's basic things they can do to improve themselves. We're running a small test with the Cyber Readiness Institute where we're going into about 500 small local utilities and working with them on basic cyber training. Just simple things like how to do multi-factor authentication, how to do strong password control, how to do automatic patching of your systems. So that's one set.
For the more medium-sized and large, we proposed and there is now legislation on the floor of the House of Representatives that says, Let's set up a water risk and resilience organization. What this does is say, Look, EPA, you don't have enough people to regulate this industry. The EPA has about four or five people in their cybersecurity shop and there's 55,000 utilities. But EPA can set a standard, and then empower a nonprofit, a non-government organization, as a water risk resilience organization that then takes those standards from EPA and using a comprehensive team goes out and does third-party assessments of utilities. Then the utilities get these gap analyses and they have to correct them. And more than that, the nonprofit can direct those utilities, Hey, here's how you can get that fixed in a free or very cheap manner from something provided by the government or by water associations or from grant programs that exist.
So there you get an assessment, a mitigation plan, and a solution.
The Cipher Brief: Regarding the recent White House message to the governors – if you’re a governor, what do you do now that you've been told that this should be near the top of your concerns?
Hayden: The good news is the governors have teams at their disposal where it is their number-one priority, these type of critical infrastructure responses. They have both emergency management teams as well as national security/homeland security teams. Most of the states, if not all, have their own network security platform. So we're talking a combination of fusion centers, law enforcement, as well as municipalities that participate together in a fabric of security services that join in for monitoring.
So let's start with assessment. How many water plants do we have? Do we have the contact information and the phone number of the person? And we've got some shared services we've deployed to keep an eye on anything that starts to pop up. Uncle Sam, what are you seeing? And is there anything we should prioritize on top of this? And that conversation just matures down that road, but it's the luxury that a modern-day governor has – those teams are in place. It's just a matter of saying, OK, you may have been focused on the electric grid. Don't stop doing that, but take a quick pivot and do an assessment of your water first.
Montgomery: There's no special budget that goes along with the letter from the White House. I mean, that's one of the problems with executive branch-driven solutions. Almost 100 percent come with no money attached. If you want money, you have to go to Congress. And so they really do need to work with Congress to get the solution. I think there's a deal to be had. Some of the things the executive branch would like to do, along with this legislation that the Congress would like to do, if we could do them together, I think we'd be in a good spot.
Hayden: I’d like to note that some of these attacks are happening because the actors themselves don't believe there's going to be retaliation. So there's a deterrence element that is missing. And the United States government has the ability and tools and expertise to really take on strategic deterrence across the diplomatic spectrum. But that includes leveraging our assets across U.S. Cyber Command and others, to take a look at those that target our critical infrastructure and respond in a public way. In the past, there were conversations with leaders, you didn't have to respond cyber for cyber. But we've come to this point to where now there needs to be effective campaigns against bad actors that strengthen the U.S. protections of critical infrastructure because you'll know if you do this, you're gonna get burnt. And until that happens, there's going to be people who believe that they can get away with this.
The Cipher Brief: This issue isn’t getting a lot of public attention. How important is it that the public be made aware of all the things we've been talking about?
Hayden: If we're doing our jobs of communicating the threats and risks from strategic competitors as well as adversaries, there wouldn't be as much ambiguity towards those types of subject areas. So it's definitely a challenge. It's hard to cut through, but this is definitely a subject that has to stay strategically forward for the national security community and those that rely on it.
Montgomery: Well, should the adversary have a very successful attack, we'll have a lot of attention on it then.
How did we get pipeline security on the right track? The Colonial Pipeline ransomware incident, where we didn't have fuel on the East coast at airports and in gas stations. I think it's good to avoid that.
We've been also working on the healthcare industry, and its cybersecurity is a dumpster fire on par with water’s. I'd like to avoid that in water because when you have a real water problem, people actually die. So we'll try to avoid that. But I think that's the number one way to avoid this, to solve this problem is probably an adversary effect. The number two way would be Congress does the right thing, passes this law, the executive branch grabs it, runs with it, and will be in better shape. But you know that's going to be a tight race between those two solutions.
The Cipher Brief: What's your confidence level when all is said and done?
Montgomery: It is still the weakest link in our national critical infrastructure. It's getting some competition from healthcare. It's getting some competition from port cybersecurity. It's getting a lot of competition from agriculture and food, but water is still locked up in the bottom place in the relegation table as far as critical infrastructure goes.
Hayden: The real challenge is resources. If there is a tool, a hardware, a software, an IT security professional that's needed to kind of fill that gap, that's where the challenge is. It's getting those personnel, getting that hardware software in place in a resource strapped environment. So that's really the wrinkle that still holds. But from a how to do it, and will to do it, the confidence is very high.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
