The United States government has alerted its allies to the growing threat posed by state-sponsored hackers from China and Iran, who are primarily targeting vital infrastructure such as water systems.
Several Iranian attacks against Unitronic programmable logic controllers (PLCs), which are used in water facilities, were investigated by the Cybersecurity and Infrastructure Security Agency (CISA).
In what officials say may be preparation for a larger playbook in the event of a war between the US and China, China has also focused on examining vital US infrastructure.
Targeting The Weakest Link
“Disabling cyberattacks are striking water and wastewater systems throughout the United States. These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities,” Michael Regan, and National Security Advisor, Jake Sullivan said in a public letter issued by the Environment Protection Agency (EPA) Administrator, as reported by the Techradar.
The targeted facility’s water supply remained unaffected by the attack carried out by an Iranian-backed group; however, if the attack had gone further and breached the PLCs controlling the water supply, the attackers could have contaminated the water, damaged the facility, or even cut off the municipal water supply.
China’s attacks on water facilities, power grids, port infrastructure, and at least one oil and gas pipeline are most likely the result of the Volt Typhoon. The letter continued, stating, “Federal departments and agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflicts.”
The critical underfunding, low staffing, and general lack of cybersecurity have made US water facilities an easy target for cyberattacks for a long time.
According to a recent announcement from the Joe Biden Administration, private companies should bear the brunt of cyber security liability as they are best suited to lower the risks facing public institutions and small businesses.
“In many cases, even basic cybersecurity precautions — such as resetting default passwords or updating software to address known vulnerabilities — are not in place and can mean the difference between business as usual and a disruptive cyberattack,” the letter stated.