The federal government recently alerted governors about nation state actors (China and Iran) currently conducting cyberattacks upon water systems across the United States and, in some cases, breaching their information systems while remaining undetected.
Such attacks threaten public safety and water systems operations. In many cases, despite the severity of these threats, basic cybersecurity best practices can fend off most of these nation state exploits.
However, China and Iran know that water systems are a particular vulnerability in the United States’ critical infrastructure. These special districts generally lack the right cybersecurity measures due to understaffing, budget issues, and obsolete technology.
The Cybersecurity and Infrastructure Security Agency (CISA) has detailed some basic cybersecurity measures that would help prevent many of these attacks and exploits, including:
1. Conducting regular cybersecurity assessments.
If you’re not assessing your cybersecurity, then you don’t know if you have gaps and vulnerabilities that can be exploited. Regular assessments can scan your networks, examine your existing policies and procedures, and even look at your physical security.
2. Changing default passwords now and using multi-factor authentication (MFA) wherever possible.
It’s both sad and stunning that so many water systems, a form of critical infrastructure, are run in such a way that important information and operational technology is accessible by default or weak single-factor authentication passwords. For the Iranian threat, CISA actually had to say, “Change all default passwords on PLCs and HMIs and use a strong password. Ensure the Unitronics PLC default password ‘1111’ is not in use.”
Don’t make it easy for cyberattackers. Change any default password to a complex password as soon as possible. Then, set up multi-factor authentication for any passwords that access your systems. Be on the lookout for entryways to your systems that may seem innocuous or overlooked, such as a third-party application that connects to your network.
3. Regularly applying patches and updates to all applications and systems.
Another routine cyberattacker tactic is looking for organizations that have not patched their software. It’s easy to scan for vulnerable systems and exploit them, especially for hackers that work for nation states like China and Iran. Patching and updating your systems is one of the easiest ways to prevent a cyberattack.
4. Using detection tools such as endpoint detection and response (EDR).
The days of antivirus are over. Antivirus worked like a guard assessing credentials at a door. If the credentials looked good, you’re in. If not, you’re out. But what if a bad actor gets inside with seemingly valid credentials? Antivirus would never know, allowing bad actors to reside within your systems, undetected.
That’s exactly China’s strategy. According to the governors’ letter, “Federal departments and agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflicts.”
A now standard tool such as endpoint detection and response (EDR) supersedes antivirus by using machine learning to detect anomalous behavior inside of your systems. If a bad actor gets inside, you are likely to detect and kick them out before they deploy malware, breach your data, or disrupt water infrastructure.
5. Providing security awareness training for all employees.
Employees might be focused on their specific jobs but unaware of the lengths that cyberattackers will go through to breach your systems. Unlike IT, cybersecurity is everyone’s responsibility. Everyone has a part to play, and each person is potentially a weak link.
Security awareness training will teach employees about basic best practices, phishing attacks, and trends in social engineering that may fool people to give up user credentials.
6. Modernizing obsolete hardware and software no longer supported by the vendor.
When you are using old, obsolete, unsupported hardware and software, that means you’re not receiving security patches and updates. The longer the systems are unsupported, the more vulnerable they become. Modern systems are more secure, easier to maintain, and vendor-supported.
---
In a fact sheet, CISA notes “For smaller organizations without their own in-house cybersecurity teams, leaders should obtain managed security services that can carry out this guidance to maintain sufficient cybersecurity posture.”
Many water special districts may be too small to staff for cybersecurity, and larger ones may need help if they are understaffed and wrestling with budget issues. VC3 can help water special districts:
- Assess their cybersecurity vulnerabilities and gaps.
- Deploy tools, best practices, and strategic oversight to protect critical infrastructure from cyberattacks.
- Monitor systems 24/7/365 to look for potential threats, which proactively increases your cyber posture.
If you feel your water special district is at risk from these and other critical cyber threats, reach out to us to have a conversation. We can help provide water special districts a resilient technology foundation supported by cybersecurity best practices with the aim of protecting critical infrastructure and improving operational efficiency.