It’s hard to imagine a cyberattack on critical infrastructure target any more disastrous and cruel than to a source of drinking water. Yet, the White House says there is now evidence that state-sponsored threat actors are doing just that.
The current likelihood of a crippling attack on either a public or private water system is ringing alarm bells at the White House, which sent a letter to U.S. governors on March 18 warning of potential cyberattacks on water and wastewater systems — and highlighting the potential for MSSPs and MSPs to provide critical security services.
Threats are opportunities for security service providers to step in and help, and this is no exception.
But operational technologies such as water system infrastructure have different requirements than the IT systems that MSSPs and MSPs are accustomed to protecting.
An MSSP Approach to Defending Water Infrastructure
Trevor Smith, executive vice president at Brite, an MSSP offering a 24/7 security operations center (SOC), explained that the convergence of IT and operational technology (OT) inside organizations supporting critical infrastructure and running industrial control systems creates a mix of both the new and existing technology solutions.
“NIST and NERC have released guidelines to help organizations design their security programs,” Smith said. “For managed security service providers, these recommendations include many of the services we provide today, such as 24/7 monitoring and active threat hunting. The major difference is our requirement to passively collect information and alter the method of response.”
Smith noted, that unlike traditional IT, OT devices do not allow installation of agents, nor do they have the capability to broadly patch vulnerabilities. Thus, purpose-built technologies are needed to identify company assets, rogue devices, anomalous activity, and defend against emerging threats on very vulnerable devices.
Infrastructure Cybersecurity: Opportunities for MSSPs, MSPs
“MSSPs and MSPs have an opportunity to work with local and state municipalities to provide cost-effective solutions for water authorities that may not have the budget or expertise to set up their own security operations center (SOC),” said Nick Tausek, lead security automation architect at Swimlane, a security provider that partners with MSSPs.
As for his recommended technology tools to protect to water systems, Tausek told MSSP Alert, “MSSPs and MSPs should look for technologies and services that can help them inventory assets and map networks, as well as tools that can help them reduce exposure to the internet, especially for IoT and operation technological devices. Auditing tools and backup and disaster recovery utilities and services are essential.”
Commenting on water security business opportunities, Sean Deuby, principal technologist at active directory security specialist Semperis, said, “MSSPs and MSPs are well positioned to do what they do best: Provide the security tools and the subject matter experts (SMEs) to manage and monitor these tools that small and medium critical infrastructure agencies — for example, municipal water systems — may not have.”
Deuby noted that this “skills-and-tools boost” especially applies to areas like identity infrastructure. Within this space, experts with the skills to successfully detect and repel cyberattacks are far less common in small agencies than in large, state-wide agencies. Moreover, identity is reliably targeted in cyberattacks.
“A back-of-the-envelope analysis combines the probability of attack, high, with the impact of that attack, also high,” he explained. “Counter this with in-house identity cyber defense skills, which are probably low, yields a very high priority threat that must be addressed immediately.”
Malachi Walker, security advisor at DomainTools, a threat intelligence company that partners with MSSPs, believes that there is there is a tremendous opportunity for MSSPs and MSPs to be proactive in supporting critical water systems. He said that one helpful service (and business inroad) is CISA’s service offering free security scans to public water utilities and other organizations involved with critical infrastructure.
"These scans will introduce vulnerabilities specific to organizations that MSSPs and MSPs can then help support in addressing,” Walker said. “By sharing this information with critical water system organizations, MSSPs and MSPs can build goodwill with prospects and be top of mind for those organizations when these scans reveal vulnerabilities that they can help address. Technologies and services that can be especially helpful are those that specialize in access control, application security and third party risk management."
Ticking Time Bombs, Crossing a Red Line
Token CEO John Gunn believes that potential attacks on critical infrastructure like water are no less “ticking time bombs.” Gunn offered a realistic scenario:
“Imagine China invades Taiwan and we support our ally, or another scenario that leads to a broader conflict. China could then activate their earlier compromises and potentially cut off water, power, and other critical services for tens of millions of American citizens.”
Tom Kellermann, senior vice president of cyber strategy at application security platform Contrast Security, said that these cyber saboteurs “have crossed a red line.”
“This is a significant escalation as rogue nation states show a willingness to kill Americans through cyberattacks," he said.
China, Iran Threats to Water Not Taken Lightly
The White House letter noted two recent and ongoing threats involving the Iranian Government Islamic Revolutionary Guard Corps and the People’s Republic of Chiana Volt Typhoon threat group.
The letter emphasized that drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline to the critical infrastructure sector. However, these operations often lack the resources and technical capacity to adopt rigorous cybersecurity practices.
National Security Advisor Jake Sullivan and Environmental Protection Agency Administrator Michael Regan signed the letter, warning that "disabling cyberattacks are striking water and wastewater systems throughout the United States." They cited a recent case in which hackers likely acted in concert with Iran's Revolutionary Guard to disable a controller at a water facility in Pennsylvania in November 2023.
Correspondingly, CISA, the U.S. Environmental Protection Agency (EPA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory pertaining to Top Cyber Actions for Securing Water Systems.
In addition, the EPA will engage the water sector and Water Government Coordinating Councils to form a Water Sector Cybersecurity Task Force. The group will build on recommendations from environmental, health and homeland security secretaries.
To enroll in the program, email [email protected] with the subject line "Requesting Vulnerability Scanning Services," including the utility's name and address, and a CISA agent will reply with guidance on the following steps.