Threat Intel Solutions

#### [Cyber-crime](/security/cyber_crime/)**5** Despite cyberattacks, water security standards remain a pipe dream==================================================================**5** White House floats round two of regulations——————————————-[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Sat 7 Sep 2024 // 12:33 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/09/07/us_water_cyberattacks/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Despite%20cyberattacks%2c%20water%20security%20standards%20remain%20a%20pipe%20dream) [](https://twitter.com/intent/tweet?text=Despite%20cyberattacks%2c%20water%20security%20standards%20remain%20a%20pipe%20dream&url=https://www.theregister.com/2024/09/07/us_water_cyberattacks/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/09/07/us_water_cyberattacks/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/09/07/us_water_cyberattacks/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Despite%20cyberattacks%2c%20water%20security%20standards%20remain%20a%20pipe%20dream&summary=White%20House%20floats%20round%20two%20of%20regulations) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/09/07/us_water_cyberattacks/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) Feature It sounds like the start of a bad joke: Digital trespassers from China, Russia, and Iran break into US water systems.But as White House cybersecurity chief Anne Neuberger [reminded](https://www.c-span.org/video/?538067-2/white-house-senior-cyber-officials-speak-cybersecurity-summit#) Billington Cybersecurity Summit attendees on Tuesday, it’s not a joke.’Water is the only sector where we’ve seen three different countries attack water facilities in the United States,’ explained Neuberger. The Russia and [Iran-linked intrusions](https://www.theregister.com/2023/12/04/iran_terrorist_us_water_attacks/) were attributed to hacktivists, as opposed to state-sponsored crews. Some threat intel teams have suggested the Russian military’s notorious [Sandworm group](https://www.theregister.com/2024/04/17/russia_sandworm_cyberattacks_water/) was behind cyberattacks on US and European water plants that, in at least one case, caused a tank to overflow.  Meanwhile, the feds have repeatedly blamed the Chinese government for the [Volt Typhoon activity](https://www.theregister.com/2024/02/07/us_chinas_volt_typhoon_attacks/) spotted on critical infrastructure systems — including water supplies.And while there’s been ‘no consequential impact’ to date from these break-ins, ‘at some point, somebody’s going to land in a place, in critical infrastructure, that’s going to matter,’ former National Security Agency cyber boss Rob Joyce [warned](https://www.theregister.com/2024/05/09/china_russia_iran_infrastructure/) during the RSA Conference earlier this year. Water infrastructure — just like power plants, electricity substations, manufacturing facilities, and other critical infrastructure — relies on operational technology (OT) systems and processes, which are [notoriously](https://www.theregister.com/2022/10/07/utility_security/) hard to secure. They aren’t updated as frequently as IT systems because they typically need to operate 24/7, and are often distributed across multiple locations, connecting to various networks. This also makes spotting and mitigating security threats more difficult.’The biggest point of vulnerability in water infrastructure is the reliance on legacy OT systems,’ observed Randy Watkins, chief technology officer at security firm Critical Start, adding that these older devices are often outdated, and ‘not designed with cybersecurity in mind.’The Iranian hacktivist crew that exploited Israeli-made programmable logic controllers (PLCs) used in ‘multiple’ water systems across the US did not need to use sophisticated tactics. They likely broke into the facilities by using default passwords for internet-accessible PLCs.> The biggest point of vulnerability in water infrastructure is the reliance on legacy OT systems’These systems often control critical functions — such as water purification and distribution — and are increasingly connected to the internet, exposing them to remote cyberattacks,’ Watkins told *The Register*. ‘Threat actors have been known to exploit these vulnerabilities to manipulate water systems, potentially causing physical harm or contamination.’There have been attempts to [plug the security holes](https://www.theregister.com/2024/03/20/us_water_sector_cybersecurity/) in this especially leaky sector, but so far they’ve gone nowhere. According to Neuberger, the White House is working on a second attempt at minimum cybersecurity standards for water after the first rules were dumped in response to states’ lawsuits.Round two will likely be met with more pushback. Plus, the industry faces some severe challenges when it comes to securing the water supply and treatment facilities.’Think of electric utilities,’ Ron Fabela, field chief technology officer of ICS/OT security firm XONA, told *The Register*. ‘Every time they’re attacked, they say, well, in the US, there’s no national grid. And water utilities are even worse — it’s tens of thousands of smaller, little companies. Yes, water is critical to people. Can you attack and disrupt the national water supply? No.’The lack of a national water supply and infrastructure also means disparate pools of funding and talent. A major metropolitan area — the Los Angeles County water districts, for example — is going to have a great deal more money and expertise to implement strong cybersecurity practices compared to smaller utilities across the country.This is probably why it was easy for criminals to [compromise](https://www.myplainview.com/news/local/article/leaders-area-towns-discuss-cyber-attack-water-18640534.php) the water infrastructure equipment in Muleshoe, Texas — population just over 5,000 — causing a tank to overflow.CyberArmyofRussia_Reborn’s Telegram channel later claimed credit for disrupting human machine interfaces (HMI) controlling the operational technology (OT) systems.Water systems in the US remain ‘target-rich, cyber-poor entities,’ Andrew Costis, engineering manager of the adversary research team at AttackIQ, told *The Register*.Still, ‘the repercussions of cyberattacks on these systems extend beyond operational disruptions, posing significant risks to both human health and the environment through compromised access to safe drinking water and wastewater management,’ he added.### Tsunami of challengesWater facilities are much more attractive to would-be attackers than other forms of critical infrastructure.Nick Tausek, lead security automation architect at infosec biz Swimlane, warned: ‘Compared to power generation, for example, water infrastructure receives much less attention. But as we have seen with cities like Flint, disruption to the water supply’s safety — whether from malfeasance or cyberattack — can have extremely long-lasting and dramatic repercussions.”It’s not hard to imagine a nation-state actor using this historically easy target to simultaneously degrade water safety in multiple areas of the country during a future conflict to erode trust in institutions, harm the populace, and stretch resources away to deal with the water crisis,’ Tausek told *The Register*.* [EPA flushes water supply cybersecurity rule after losing legal fight with industry, states](https://www.theregister.com/2023/10/13/epa_rescinds_water_cybersecurity_rule/)* [Kremlin’s Sandworm blamed for cyberattacks on US, European water utilities](https://www.theregister.com/2024/04/17/russia_sandworm_cyberattacks_water/)* [US warns Iranian terrorist crew broke into ‘multiple’ US water facilities](https://www.theregister.com/2023/12/04/iran_terrorist_us_water_attacks/)* [America’s enemies targeting US critical infrastructure should be ‘wake-up call’](https://www.theregister.com/2024/05/09/china_russia_iran_infrastructure/)### EPA strikes outThe first push for minimum security standards began back in March 2023, when the Environmental Protection Agency (EPA) started requiring states to [evaluate the cybersecurity](https://www.theregister.com/2023/03/06/epa_security_public_water/) of their public water systems’ OT environments.The feds cited [increased attacks](https://www.ksnt.com/news/local-news/kansas-hacker-pleads-guilty-to-shutting-down-drinking-water-plant-with-phone/) in multiple states — including the Oldsmar, Florida [attempted poisoning](https://www.theregister.com/2021/02/09/florida_water_hacked/) — and noted that many of these systems ‘have failed to adopt basic cybersecurity best practices and consequently are at high risk of being victimized by a cyberattack.’A month later, state attorneys general of Arkansas, Iowa, and Missouri sued the EPA to stop the rule, arguing that it ‘intrudes on states’ sovereignty,’ according to [the complaint](https://storage.courtlistener.com/recap/gov.uscourts.ca8.105743/gov.uscourts.ca8.105743.814733274.2.pdf) -[PDF-].In October 2023, the EPA [threw out the rule](https://www.theregister.com/2023/10/13/epa_rescinds_water_cybersecurity_rule/), citing the lawsuit as the reason.The EPA’s planned audit of states’ water systems’ cybersecurity posture ‘would have been an essential tool to shore up security around critical infrastructure and ensure clean and safe drinking water for residents of the United States,’ Tausek lamented.### ‘Reliance on public funding’But any type of minimum security standard would have been difficult to implement and enforce.’Some reasons why this area is getting so much pushback are likely due to the reliance on public funding, and how that funding gets distributed amongst the water companies,’ AttackIQ’s Costis explained. ‘There are also likely to be gaps in regulations which may lead to inconsistencies with regards to security measures, as well as an overall slower rate of security program adoption and improvement over time.’According to XONA’s Fabela, this is where the US Cybersecurity and Infrastructure Security Agency (CISA) has a role to play. ‘CISA is not regulatory, but it does have traction providing guidance,’ he said.He added that more programs to provide grants and loans to rural water utilities that don’t otherwise have the resources to implement better security practices are needed: ‘Using the money stick as opposed to the regulation stick.’There are also some fairly simple technical solutions to the problems, which CISA has encouraged the water and wastewater sector to implement as well. These include changing default and compromised passwords and PINs, changing the ports and securing remote access via a VPN or other technology.’Just saying ‘make sure these things aren’t remotely accessible’ is not realistic,’ Fabela noted, adding that while administrators need to be able to monitor water pumps and check chemical levels remotely, this doesn’t mean that attackers should be able to scan for and find vulnerable IoT devices easily.’Dear lord, get your stuff off of [Shodan](https://www.shodan.io) please,’ he urged. ‘It may not be a national threat, but it’s a national embarrassment.’ ® [Sponsored: The start of the great virtualization migration?](https://go.theregister.com/tl/3066/shttps://www.theregister.com/2024/08/26/the_start_of_the_great/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/09/07/us_water_cyberattacks/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Despite%20cyberattacks%2c%20water%20security%20standards%20remain%20a%20pipe%20dream) [](https://twitter.com/intent/tweet?text=Despite%20cyberattacks%2c%20water%20security%20standards%20remain%20a%20pipe%20dream&url=https://www.theregister.com/2024/09/07/us_water_cyberattacks/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/09/07/us_water_cyberattacks/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/09/07/us_water_cyberattacks/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Despite%20cyberattacks%2c%20water%20security%20standards%20remain%20a%20pipe%20dream&summary=White%20House%20floats%20round%20two%20of%20regulations) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/09/07/us_water_cyberattacks/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Security](/Tag/Security/) More like these × ### More about* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/09/07/us_water_cyberattacks/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Despite%20cyberattacks%2c%20water%20security%20standards%20remain%20a%20pipe%20dream) [](https://twitter.com/intent/tweet?text=Despite%20cyberattacks%2c%20water%20security%20standards%20remain%20a%20pipe%20dream&url=https://www.theregister.com/2024/09/07/us_water_cyberattacks/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/09/07/us_water_cyberattacks/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/09/07/us_water_cyberattacks/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Despite%20cyberattacks%2c%20water%20security%20standards%20remain%20a%20pipe%20dream&summary=White%20House%20floats%20round%20two%20of%20regulations) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/09/07/us_water_cyberattacks/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **5** COMMENTS #### More about* [Security](/Tag/Security/) More like these × ### More about* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Microsoft hosts a security summit but no press, public allowedop-ed CrowdStrike, other vendors, friendly govt reps…but not anyone who would tell you what happenedSecurity10 days -| 11](/2024/08/28/microsoft_closed_security_summit/?td=keepreading) [#### Security boom is over, with over a third of CISOs reporting flat or falling budgetsGood news? Security is still getting a growing part of IT budgetCSO2 days -| 1](/2024/09/05/security_spending_boom_slowing/?td=keepreading) [#### Security biz Verkada to pay $3M penalty under deal that also enforces infosec upgradeAllowed access to 150K cameras, some in sensitive spots, but has been done for spammingSecurity3 days -| 3](/2024/09/05/verkada_ftc_settlement/?td=keepreading) [#### The start of the great virtualization migration?How consolidating disparate cloud components with Nutanix can bring multiple benefitsSponsored Feature](/2024/08/26/the_start_of_the_great/?td=keepreading) [#### White House thinks it’s time to fix the insecure glue of the internet: Yup, BGPBetter late than neverNetworks4 days -| 26](/2024/09/03/white_house_bgp_security/?td=keepreading) [#### Alleged Karakut ransomware scumbag charged in USInfosec in brief Plus: Microsoft issues workaround for dual-boot crashes; ARRL cops to ransom payment, and moreSecurity13 days -| 2](/2024/08/26/karakut_ransomware_scum_charged/?td=keepreading) [#### CrowdStrike’s meltdown didn’t dent its market dominance … yetTotal revenue for Q2 grew 32 percentSoftware10 days -| 22](/2024/08/29/crowdstrikes_q2_earnings/?td=keepreading) [#### Volt Typhoon suspected of exploiting Versa SD-WAN bug since Juneupdate The same Beijing-backed cyber spy crew the feds say burrowed into US critical infrastructureCyber-crime11 days -| 3](/2024/08/27/chinas_volt_typhoon_versa/?td=keepreading) [#### Microsoft security tools questioned for treating employees as threatsCracked Labs examines how workplace surveillance turns workers into suspectsSecurity11 days -| 68](/2024/08/27/microsoft_workplace_surveillance/?td=keepreading) [#### Iran’s Pioneer Kitten hits US networks via buggy Check Point, Palo Alto gearThe government-backed crew also enjoys ransomware as a side hustleCyber-crime10 days -| 5](/2024/08/28/iran_pioneer_kitten/?td=keepreading) [#### Watchdog warns FBI is sloppy on secure data storage and destructionupdate National security data up for grabs, Office of the Inspector General findsSecurity12 days -| 6](/2024/08/26/fbi_data_security/?td=keepreading) [#### Uncle Sam charges Russian GRU cyber-spies behind ‘WhisperGate intrusions’Feds post $10M bounty for each of the six’s whereaboutsCyber-crime2 days -| 5](/2024/09/05/uncle_sam_charges_russian_gru/?td=keepreading)

Related Tags:
Lemon Sandstorm

NAICS: 921 – Executive

Legislative

Other General Government Support

NAICS: 923 – Administration Of Human Resource Programs

NAICS: 92 – Public Administration

NAICS: 928 – National Security And International Affairs

NAICS: 924 – Administration Of Environmental Quality Programs

BRONZE SILHOUETTE

Volt Typhoon

Parisite

Associated Indicators: