The US government has issued a warning to its allies that state-backed hackers from Iran and China are increasingly targeting critical infrastructure, with the most notable attacks being on water systems.
The Cybersecurity and Infrastructure Security Agency (CISA) investigated a series of Iranian attacks targeting Unitronic programmable logic controllers (PLCs) used in water facilities.
China has also turned its attention to investigating U.S. critical infrastructure, in what government officials say could be practice for a broader playbook in the event of a U.S.-China war.
Targeting the weakest link in the chain
A public letter issued by Environmental Protection Agency (EPA) Administrator Michael Regan and National Security Advisor Jake Sullivan said: “Disabling cyberattacks are impacting water and wastewater systems across the United States. “These attacks have the potential to disrupt the vital lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”
While the attack carried out by an Iranian-backed group did not affect the water supply at the targeted facility, a breach of the PLCs used to control the water supply means that if the attack had progressed further, the attackers could have contaminated water, damaged the facility itself, or even cut off the municipal water supply.
Volt Typhoon is the most likely culprit of the attacks carried out by China, with water facilities alongside power grids, port infrastructure and at least one oil and gas pipeline. The letter went on to say: “Federal departments and agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflicts.”
Water facilities in the US have long been an easy target for cyberattacks due to critical underfunding, low staffing levels, and a general lack of cybersecurity. The Biden Administration recently announced that the burden of cybersecurity responsibility should be shifted to private companies that are best positioned to reduce risks to small businesses and public institutions.
“In many cases, even basic cybersecurity precautions, such as resetting default passwords or updating software to address known vulnerabilities, are not applied and can mean the difference between business as usual and a disruptive cyberattack,” the letter said.
Through Bloomberg
