EPA Alert Warns Nation’s Drinking Water at Risk: SecurityScorecard’s recommendations for securing critical infrastructure
“Protecting our nation’s drinking water is a cornerstone of EPA’s mission, and we are committed to using every tool, including our enforcement authorities, to ensure that our nation’s drinking water is protected from cyberattacks.” -EPA Deputy Administrator Janet McCabe
This week, the U.S. Environmental Protection Agency (EPA) warned that cyberattacks against water utilities across the country are becoming more frequent and more severe. The agency urged water systems to take immediate actions to protect the nation’s drinking water. According to the EPA, there are more than 150,000 public water systems across the U.S. serving over 300 million people—virtually all of which are administered and secured at local levels of government.
According to the alert, some water systems are failing at basic cyber hygiene: whether it’s changing default passwords or cutting off system access to former employees. These systems are especially vulnerable to cyber intrusions because they often rely on computer software to operate treatment plants and distribution systems. The agency warns that if these issues are not addressed, it could lead to: interruptions of water treatment and storage; damage to pumps and valves; and alteration of chemical levels to hazardous amounts.
Over 70% of water systems inspected by federal officials do not fully comply with requirements in the Safe Drinking Water Act.
In the last year, over 70% of water systems inspected by federal officials do not fully comply with requirements in the Safe Drinking Water Act, and that some of those systems have critical cybersecurity vulnerabilities. The EPA says it will increase the number of planned inspections and, when appropriate, take civil and criminal enforcement actions.
EPA Deputy Administrator Janet McCabe notes that geopolitical rivals such as Russia, China, and Iran are increasingly targeting U.S. utilities. Last year’s widely publicized attack on the municipal water system in Aliquippa, Pennsylvania, was carried out by the Iranian-linked “Cyber Av3ngers” group.
Nation-state actors targeting U.S. utilities
Earlier this year, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint warning that the hacking group known as Volt Typhoon’ has been lurking in US critical infrastructure systems for at least five years.
The SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team has tracked Volt Typhoon extensively. The state-sponsored threat actor group, believed to act on behalf of the People’s Republic of China, has been positioning itself to sabotage US critical infrastructure in the event of any military conflict over Taiwan. Additionally, the hackers may be prowling inside the networks of Canada, New Zealand, and Australia. The warning noted that the group has been interested in a few specific areas of US critical infrastructure, including water and wastewater treatment systems.
Federal cybersecurity recommendations
To boost the cyber resilience of the nation’s water utilities, the EPA, CISA, and FBI strongly recommend system operators take steps outlined in its updated joint fact sheet, Top Actions for Securing Water Systems. Those steps include:
- Reduce exposure to public-facing internet.
- Conduct regular cybersecurity assessments.
- Change default passwords immediately.
- Conduct an inventory of OT/IT assets.
- Develop and exercise cybersecurity incident response and recovery plans.
- Backup OT/IT systems.
- Reduce exposure to vulnerabilities.
- Conduct cybersecurity awareness training.
Additionally, EPA Administrator Michael S. Regan and National Security Advisor Jake Sullivan recently sent a letter to the nation’s governors, stressing the urgency of the threats and the importance of collaboration across federal and state partners to develop comprehensive strategies to close gaps in cyber-resilience. The National Security Council has also encouraged each state to prepare an action plan presenting the state’s strategy to mitigate the most significant cybersecurity vulnerabilities in the states’ water and wastewater systems by late June.
Securing critical infrastructure with CIRCIA
Strengthening critical infrastructure from cyberattacks is a growing priority. In fact, CISA recently published a set of proposed regulations to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). First signed into law in March 2022, CIRCIA is one of the largest cybersecurity policy forms in recent history. The goal with CIRCIA is for CISA and other federal agencies to better respond to cyber incidents and discover weak points in our nation’s critical infrastructure.
The 447-page draft requires certain critical infrastructure organizations to report cyber incidents within 72 hours, and ransomware payments within 24 hours. To encourage timely and transparent reporting, CISA guarantees confidentiality will be ensured to the sectors that fall under this mandate. These sectors include: healthcare, financial services, energy, water utilities, manufacturing, and transportation. CIRCIA comes three years after the SolarWinds hack, which exposed the federal government’s lack of visibility regarding breaches into critical infrastructure entities. Among other key provisions, the rules require organizations to report incidents that affect safety, disrupt services, or stem from a third party.
Joint research from SecurityScorecard and the Cyentia Institute shows that 98% of companies have a relationship with a third party that has been breached. And while third parties typically receive most of the supply chain scrutiny, fourth-party vendors also create significant risk. This threat highlights the importance of identifying and assessing the security posture of all Nth parties in a company’s digital ecosystem.
STRIKE Team’s recommendations
As these threats continue to evolve, the need for continuous monitoring of the threat landscape, increased vigilance at the perimeter, and preparedness for the eventuality of an incident will likely increase.
SecurityScorecard’s tools can help organizations follow the recommendations that CISA, the FBI, and EPA have made in response to incidents affecting U.S. water systems and other critical infrastructure:
- Various issue types in the Network Security factor of SecurityScorecard’s ratings platform can identify services exposed to the wider internet.
- Its Patching Cadence and Application Security factors can help reduce organizations’ exposure to vulnerabilities by identifying software affected by vulnerabilities known to be exploited by threat actors that have targeted critical infrastructure.
- Its Credentials at Risk issue types can identify previously-compromised accounts that threat actors could reuse to access organizations’ systems.
- The Digital Footprint available in organizations’ scorecards can help organizations conduct inventories of their OT and IT systems.
- SecurityScorecard’s professional service offerings can support the development, implementation, and testing of incident response and recovery plans.