US Gov't Agency Issues Warning over Water Sector's Security
The rapidly evolving cybersecurity landscape is increasingly putting critical infrastructure at risk, with a watchdog putting The US Environmental Protection Agency (EPA) under scrutiny for its lacklustre approach to cybersecurity in the water sector.
The Government Accountability Office (GAO) report highlights alarming trends in cyber attacks targeting water and energy systems, emphasising the urgent need for improved defences and strategic planning.
It also reveals that the EPA is falling behind on fundamental duties, including developing a national strategy to address cyber risks.
The water sector's difficulty in cultivating a "cybersecurity culture" has led to poor cyber hygiene, exacerbated by limited resources for digital protections.
This comes at an increasingly perilous time for critical infrastructure, as a rise in attacks targeting them has fears they may increasingly be taken offline, causing mass disruption.
Cyber challenges facing critical infrastructure
Recent incidents underscore the severity of the threat. Iranian-linked hackers targeted a Pennsylvania water facility, and alleged Chinese state actors infiltrated US water systems, and a Russian nationalist group with ties to military intelligence compromised Texas water facilities.
Equally, in 2021, officials warned a hacker tried to poison a Florida City's water supply by upping sodium hydroxide levels to extremely dangerous levels.
It is for reasons like this that President Biden’s administration's has made protecting the water sector a key cybersecurity priority.
But its not just water that is under threat, key critical infrastructure has seen a surge in malicious activity.
A 2024 Data Threat Report by Thales reveals that nearly half of critical infrastructure organisations in the energy sector have experienced data breaches, with ransomware attacks becoming increasingly prevalent. An alarming 93% of these organisations have observed an increase in cyber attacks.
These large infrastructure sectors’ vulnerability stems from its reliance on legacy operational technology systems and the complexity of its infrastructure.
Malware, phishing, and ransomware top the list of common cyber threats, with nearly a quarter of respondents falling victim to ransomware attacks in the past year.
Human error, exploitation of known vulnerabilities, and failure to implement multi-factor authentication are leading causes of cloud-based breaches.
The GAO report criticises the EPA for failing to conduct a sector-wide risk assessment and lacking a risk-informed strategy.
This oversight leaves the agency ill-equipped to make informed decisions and address the highest risks effectively. The EPA's current assessment methods are limited in scope and anonymised, preventing the development of a comprehensive national-level assessment.
The surge in DDoS
Adding to these concerns, three separate reports from cybersecurity firms Imperva, NETSCOUT, and F5 Labs highlight a dramatic surge in Distributed Denial of Service (DDoS) attacks. F5 Labs documented a 112% rise in DDoS attacks from 2022 to 2023, while Imperva reported a 111% increase in the first half of 2024 compared to the same period in 2023.
DDoS attacks can significantly disrupt the operations of an organisation, including those controlling critical infrastructure like water systems. DDoS attacks are designed to overwhelm a network by flooding it with excessive traffic, which can incapacitate the network's ability to process legitimate requests.
This can lead to downtime and operational setbacks, causing severe damage to industrial control systems (ICS) in both the short and long term and a ceasing of critical functions.
Like the GOA report, geopolitical tensions were listed as playing a significant role in driving these DDoS attacks. Ukraine experienced a 519% increase in DDoS attacks, while other politically unstable regions also saw significant surges.
The telecommunications sector has been particularly hard hit, with Imperva reporting a 548% rise in application layer DDoS attacks targeting telecom and ISP sectors.
As the threat landscape continues to evolve, it is clear that both the water and energy sectors must prioritise the development of comprehensive cybersecurity strategies. With vital services at stake, the need for coordinated and proactive responses from within the critical infrastructure sector.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand