Cyber, Intelligence, Homeland Security 4 MIN Read

Attacks on U.S. Water Sector Should Spur Action, Not Just Alarm

April 30th, 2024


Learn more about real-time threat protection for full-time missions.

Today the White House is releasing a National Security Memo to replace and modernize the rules of the road issued in 2013 for Critical Infrastructure, PPD-21. This is a significant advancement to a policy that now lists the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as the lead coordinator. The water sector and its members are included in the directive for protection as a Systemically Important Entity (SIE).

Earlier this month, it was revealed that the hackers who infiltrated a Texas water facility in January and caused a major system malfunction are likely Russian affiliates. This was the latest in a string of U.S. water system breaches, many with links to Iran and China. In fact, in just the last six months, similar cyberattacks on critical water infrastructure have happened in Georgia, Florida, Pennsylvania and Indiana, too. Of the more than 153K water system entities, these attacks mostly focused on rural towns whose capacity and resources to respond are far outmatched by these nation-state aggressors, making them prime targets.

And they won’t be the last.

This is why it’s incredibly important that the water sector, like every sector of critical infrastructure in the U.S., take action to enhance both cybersecurity and resilience. Specifically, there are five things the water sector can do now to plan and prepare for the near inevitability of an attack or an attempted one.

Increase protections and partnerships to become as defensible and resilient as possible.

This can involve leveraging managed services for target rich, resource poor entities via state and local services as well as regional or federal support. The CISA offers shared services for cyber hygiene and vulnerability scanning through coordination with the Environmental Protection Agency. It has also released a set of Cyber Protection Goals, which can help to set baselines, determine the maturity of services, and identify where additional resources are needed. The FBI has similar partnership efforts in place to support the security and resiliency of our critical infrastructure.

Simulate an attack, identify the crown jewels, then prioritize protecting them first.

These types of simulation exercises can be incredibly valuable in understanding vulnerabilities and the mitigation tools available to address them. In an environment where hackers are leaning on new technology – such as using AI to find new targets based on their similarities to successful exploits of the past – it is more important than ever that water sector members know where their weaknesses are and take immediate steps to tackle them.

Know what normal looks like – for you.

With this information in-hand, water sector members can identify when things change, not just when things break. This is important because adversaries who specialize in gaining access and exfiltrating bulk or sensitive data have begun to switch tactics to instead gain persistent access to systems and data. They’re "living off the land" and masking their identities by, ironically, leveraging the very tools that monitor and secure platforms. That access is then being used to establish a footprint for disruption at future time and, therefore, must be identified and mitigated before it’s too late.

Embrace secure by design and zero trust principles.

Too often, the remote monitoring and management tools of operational technology (OT) are being bolted on to legacy equipment without role based access (or least privilege capabilities) that would deter bad actors once they get onto a network. This is why a layered approach to security is always the best approach. Tools systems with built-in security will always be preferable to those without such considerations. These, in concert with a modern zero trust approach that assumes nothing and protects both systems and data, will make for stronger and more resilient security posture.

Know that communication is a strategic deterrent.

This is why the federal government is leveraging a campaign to make cyber preparedness tools and strengths available across agencies, and to clearly communicate about this effort to those that would consider targeting critical infrastructure in the future. These resources, many of which are available through CISA as noted earlier, will help the water sector plan and prepare for an attack and to similarly communicate their preparedness to bad actors who may have their sights set on them.

GDIT is continually collaborating with customers at the federal, state and local level to help them prepare, plan and respond to cyber threats, and to ensure they’re leveraging every resource available in the pursuit of that goal. We understand the threat to the nation’s critical infrastructure is real, constant and – together – addressable.