The US government has warned its allies that state-sponsored hackers from Iran and China are increasingly targeting critical infrastructure, with the most notable attacks on water systems.
The Cybersecurity and Infrastructure Security Agency (CISA) investigated a number of Iranian attacks targeting Unitronic Programmable Logic Controllers (PLC) used in water facilities.
China has also turned its attention to probing critical U.S. infrastructure, which administration officials say could be a practice for a broader playbook in the event of a U.S.-China war.
Aimed at the weakest link in the chain
A public letter from Environment Protection Agency (EPA) Administrator Michael Regan and National Security Advisor Jake Sullivan states: “Disabling cyber attacks is impacting water and wastewater systems across the United States. These attacks have the potential to disrupt the crucial lifeline of clean and safe drinking water and impose significant costs on affected communities.”
Although the attack carried out by an Iranian-backed group did not affect the water supply of the targeted facility, a breach of the PLCs used to control the water supply means that if the attack had progressed further, the attackers could have contaminated the water , damaged the facility itself, or even knocked out the municipal water supply.
Volt Typhoon is the most likely culprit behind China’s attacks, with water facilities in addition to electricity grids, port infrastructure and at least one oil and gas pipeline. The letter continued, stating: “Federal departments and agencies assess with high confidence that Volt Typhoon actors are preparing themselves to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflict.”
U.S. water facilities have long been easy targets for cyberattacks due to critical underfunding, low staffing levels and a general lack of cybersecurity. The Biden administration recently announced that responsibility for cybersecurity should be shifted to private companies that are best positioned to reduce risks to small businesses and public institutions.
“In many cases, even basic cybersecurity measures – such as resetting default passwords or updating software to address known vulnerabilities – are not in place and can mean the difference between ‘business as usual’ and a disruptive cyber attack,” the letter said .
Through Bloomberg