March 20th – In the U.S., the White House has issued an urgent warning to state leaders, highlighting the occurrence of “disabling” cyber attacks targeting water systems nationwide.
In a joint letter, the White House and the Environmental Protection Agency (EPA) have invited state officials to a meeting scheduled for Thursday. The purpose of the gathering is to deliberate on strategies to enhance digital defenses for over 150,000 water utilities across the united states.
Concurrently, the EPA is establishing a water sector cyber security task force that will identify the sector’s most significant challenges and formulate defensive strategies.
Disabling cyber attacks
National Security Advisor Jake Sullivan and EPA Administrator Michael Regan emphasized the gravity of the situation in their letter, stating “Disabling cyber attacks are striking water and wastewater systems throughout the United States.”
And “These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”
The letter calls out the activities of nation-state backed hacking group Volt Typhoon. The U.S is concerned that Volt Typhoon, sanctioned by the Chinese government, is positioning itself to carry out disruptive attacks in the event of a conflict over Taiwan.
Volt Typhoon’s campaign
Last week, outgoing NSA cyber security director Rob Joyce warned reporters that federal investigators are still finding victims of Volt Typhoon’s hacking campaign. The full extent of the group’s activities remains unclear.
According to Joyce, the campaign has two primary objectives: disrupting U.S. communications and military deployments to East Asia in case of a conflict between America and China, and disabling American systems in order to incite widespread panic in the event of a political crisis.
EPA rules for water
Last year, the EPA attempted to impose more stringent cyber security rules for water utilities, but backed off amid legal challenges to the effort. The EPA’s initiative relied on a creative approach to leverage the agency’s sanitation authorities, who would impose some measure of cyber security mandates.
This move was part of a broader attempt to implement more stringent cyber security regulations for critical infrastructure sectors, many of which remain unregulated in terms of cyber security. In the absence of the EPA rules, the water sector continues to operate without binding cyber security rules.
Underfunded
Notably, significant portions of the water sector are notoriously underfunded, leaving them ill-equipped to secure themselves against state-backed threats. Experts have emphasized the need for additional funding to improve defenses within this sector.
To explore some of CyberTalk.org’s past water sector coverage, please click here and here. Lastly, subscribe to the CyberTalk.org newsletter for timely insights, cutting-edge analyses and more, delivered straight to your inbox each week.