Infrastructure defense: Water and wastewater systems

Our first post on infrastructure detailed why water, communications, energy, and transportation are the core critical infrastructure sectors in the United States. In this post, we’ll review the Water and Wastewater System Sector, its governing entities, and the threat actors who attempt to disrupt water systems.

This sector ensures access to clean drinking water and proper wastewater treatment. CISA tells us there are 152,000 public drinking water systems, including 50,000 community water systems (CWS) and over 16,000 wastewater treatment systems. These systems directly serve most of the U.S. population. There are another 100,000+ non-community water systems that serve customers like factories, hospitals, and other businesses that have their own internal systems. The EPA is the Sector Risk Management Agency (SRMA) for this sector.

Unfortunately for the U.S., over 70% of the systems inspected by EPA since September 2023 are in violation of the cybersecurity requirements of the Safe Drinking Water Act (SDWA). The good news is that many of the violations could be resolved by basic best practices, like changing default passwords, requiring multi-factor authentication, and enforcing the principle of least privilege. Because infrastructure facilities rely on both information technology (IT) and operational technology (OT) systems to operate, these networks evolve into hybrid networks with unknown security gaps. Water and other utility operators need to ensure they have full visibility of their entire network. They also need consistent security policies, uniform solutions, and thoughtful segmentation of the growing attack surface.

Beyond lacking in basic cybersecurity hygiene, many water systems failed to complete the mandated Risk and Resilience Assessments (RRAs) and Emergency Response Plans (ERPs). The EPA describes the purpose of RRAs and ERPs like this:

“Your RRA may identify hurricanes as a significant risk for your utility and outline cost-effective countermeasures to lower your risk. Your ERP, grounded in the results of the RRA, then describes the processes and procedures that can be implemented to mitigate hurricane impacts (e.g., flooding) to your utility.”

As of June 1, 2024, the EPA has increased inspections and enforcement actions against non-compliant entities. 

Threat Actors

State-sponsored threat actors are not the only groups attacking water systems, but they are currently the most prominent. For example:

Russian affiliates:

Hacktivist groups like People’s Cyber Army (PCA), and Z-Pentest have targeted vulnerabilities in virtual network computing (VNC) software, proprietary water control software, industrial control systems (ICS), and network electronics like firewalls. They also attack other critical infrastructure like energy, food and agriculture, and dams. They have been successful in reconfiguring the operating parameters of control systems and changing administrative passwords to lock out legitimate operators. 

Threat actor Sandworm is officially designated “Military Unit 74455” and operates as a cyberwarfare unit within the Russian military intelligence agency. The Cyber Army of Russia Reborn (CARR) is linked to Sandworm but operates in a more reckless and aggressive manner. Some experts believe the Russian military intelligence agency established CARR to conduct attacks ill-suited to the more sophisticated Sandworm. Both threat actors target critical infrastructure systems and system controllers.

One of the most troublesome of these attacks happened in Muleshoe, Texas, January 2024. Muleshoe is less than 40 miles from Cannon Air Force Base, home to U.S. Air Force Special Operations Command and the 27th Special Operations Wing. Threat actors were able to reconfigure control systems and cause a water tank to overflow. The threat actors used the same attack against nearby cities Abernathy, Hale Center, and Lockney, and posted videos of themselves interacting with the water control systems.

Researchers from Mandiant linked these attacks to Sandworm, though CARR took credit. You can get more details on these attacks here.

Iranian affiliates:

Threat actor Cyber Av3ngers is allegedly connected to Iran’s Islamic Revolutionary Guard Corps (IGRC). Cyber Av3ngers was originally thought to be an independent hacktivist group but was linked to IGRC by “connections to previously identified hacking campaigns, the targeting, and other non-public information.” The IRGC is also said to have threat actors operating directly within their Cyber-Electronic Command (CEC, or IRGC-CEC).

Cyber Av3ngers and CEC threat actors have targeted programmable logic controllers (PLCs) and other operational technology (OT) to compromise U.S. water systems. This is a classic supply chain attack against U.S. infrastructure through exploits on a vulnerable third-party PLC. Because the vulnerable PLCs are made in Israel, the Cyber Av3ngers group uses this opportunity to target both the U.S. and Israel in a single attack.

 “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.”

Reports indicate the group is conducting low-level, opportunistic attacks targeting Israeli-made equipment. Other research shows the threat actors becoming more sophisticated, using custom malware IOCONTROL to infiltrate water systems and gas stations.

People’s Republic of China (PRC) affiliates:

The PRC has a sophisticated cyber force that is organized into military and non-governmental forces. The People’s Liberation Army (PLA) controls the military forces, which target satellite and communications companies in the U.S., Japan, and Europe. Besides the military units, there are tens of thousands of civilians that assist with attack and defense activities. The ideological alignment and the sheer numbers of military and civilian threat actors makes the PRC cyber operation among the most formidable in the world.

The U.S. Office of the Director of National Intelligence reports that PRC-affiliated attacks are among the “greatest and most persistent threats to U.S. national security.” This is largely because of the volume of attacks and the sophistication of the Advanced Persistent Threats (APTs) sponsored by the PRC. The U.S. House of Representatives unanimously approved House Resolution 9769, which would establish a task force “to tackle the extensive cybersecurity threats posed by state-sponsored cyber actors linked to the PRC.”

PRC threat actor Salt Typhoon is currently in the headlines for its massive attack on U.S. telecommunication networks. Salt Typhoon actors are skilled in using living-off-the-land (LotL) techniques to maintain persistence and stealth. They are not currently linked to attacks on water systems, but all sectors depend on reliable communications. Authorities have warned all industries and sectors to defend against this threat.

Earlier this year, U.S. officials discovered PRC affiliated threat actor Volt Typhoon had been maintaining access within key infrastructure systems for at least five years. This threat actor engages in ‘pre-positioning’ activity, which means the attacker puts himself in a position to conduct future attacks. Through these threat actors, the PRC has immediate access to U.S. infrastructure, which they can use at will. Volt Typhoon attacks all infrastructure sectors, with emphasis on energy, communications, transportation, and water.

Threat actor BlackTech has targeted government systems, multiple infrastructure sectors, and entities that support the militaries of U.S. and Japan. This group is known for its longevity and broad inventory of custom malware and persistence mechanisms. BlackTech targets vulnerable firewalls that guard the remote or branch offices of larger companies. Once inside, they try to blend in with network traffic, move to the larger networks, and escalate privileges until they have full administrative control over the targeted assets.

In September 2023, a joint advisory authored by authorities in U.S. and Japan warned the public:

“BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S.—the primary targets.”

The U.S. National Security Agency (NSA) joined other law enforcement agencies in warning the public about these threats.

Challenges to water and wastewater system security

Budget constraints, legacy/end-of-life systems, and supply chain vulnerabilities are challenges for all sectors, and the guidance to mitigate these risks will be similar across the board. However, the fragmentation of the water infrastructure poses some unique challenges.

92% of community water systems are small public water systems (PWSs) that serve fewer than 10,000 customers. Most small PWS providers serve fewer than 500 customers, which makes them attractive to threat actors looking for easy targets. Smaller systems often have fewer resources and less cybersecurity expertise at hand, which is why those basic cyber hygiene practices are so important. Disciplined and consistent patch management and credential security can close many of the gaps in these networks.

 “The community risk from cyberattacks includes an attacker gaining control of the operations of a system to damage infrastructure, disrupt the availability or flow of water, or altering the chemical levels, which could allow untreated wastewater to be discharged into a waterway or contaminate drinking water provided to a community,” ~ EPA Spokesman quoted by CNBC: America’s drinking water is facing attack, with links back to China, Russia and Iran.

Guidance to water system operators

“Water is among the least mature in terms of security,” Adam Isles, head of cybersecurity practice for Chertoff Group, quoted by CNBC: Biden admin, U.S. ports prep for cyberattacks as nationwide infrastructure is targeted

The EPA, CISA, and other agencies have published best practices and other guidance for infrastructure:

• Network Security: Limit the internet connectivity of operational technology (OT) devices like controllers and remote terminals. Where possible, maintain segmentation between IT and OT systems.
• Access Control and Authentication: Change default passwords immediately and enforce strong access control measures, including multi-factor authentication (MFA) where possible. Deploy a zero-trust solution that protects access to all IT and OT systems.
• Asset Management: Maintain a current inventory of OT/IT assets to understand what needs protection. Prioritize higher-risk devices like automated or internet-connected devices.
• Backup and Recovery: Regularly backup both OT and IT systems, using the NIST 3-2-1 system. Test backup procedures regularly and monitor the system for new file shares and data storage locations that may be outside the current backup set.  
• Vulnerability Management: Mitigate known vulnerabilities and apply patches and security updates as soon as possible. Prioritize patches according to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
• Training and Awareness: Train staff and contractors on cybersecurity awareness and best practices. Teach employees to recognize and avoid phishing attempts.
• Incident Response Planning: Develop and test cybersecurity incident response and recovery plans. Establish emergency procedures and to conduct manual operations of automated systems in case these systems are compromised.

The EPA has more security guidance here.

Guidance to the public

CISA and other agencies have also issued guidance to the public. These range from common cybersecurity practices to infrastructure advocacy.

• Practice good cybersecurity habits at home, especially if you use smart water meters or internet-connected water devices. This includes using strong passwords and multi-factor authentication (MFA) for any accounts related to water services.
• Report suspicious behavior observed near water infrastructure facilities. These could be water sources, treatment plants, distribution systems, or other elements of the infrastructure. The governing entity may be a local authority or a water utility.  
• Engage with local officials and utilities to learn about water system challenges in your community. Advocate for increased cybersecurity resources where needed.

Users and employees of water infrastructure systems must diligently protect their credentials. Attackers will strategically target individuals relevant to the larger attack. We’ve seen this happen many times, most recently by IRGC threat actors who are targeting individuals who “have some nexus to Iranian and Middle Eastern affairs, such as current or former senior government officials, senior think tank personnel, journalists, activists, and lobbyists. More recently, FBI has observed these actors targeting persons associated with US political campaigns.”

This same type of threat is used against individuals affiliated with water and other infrastructure systems. Critical infrastructure is a national security issue. Each operator in these systems should encourage a culture of security awareness and practice good cyber hygiene.

Our next blog on infrastructure will cover the communications sector. If you’d like to know more about critical infrastructure, the official U.S. website has a ton of resources.