“It’s rare that four government agencies issue a joint advisory on a potential threat to the basic health and welfare of the entire U.S. population,” Mark Montgomery and Samatha F. Ravich write in The Washington Post. “But that’s what happened in October when the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA) and Environmental Protection Agency warned that U.S. water and wastewater systems are being targeted by “known and unknown” malicious actors.” The agencies’ warning is “not theoretical.” In February 2021, hackers breached the water-treatment system in Oldsmar, Florida and attempted to raise the level of sodium hydroxide (lye) by 100-fold in the water. In other words, they tried to poison the water.
Montgomery and Ravich note that the US “has approximately 52,000 drinking water and 16,000 wastewater systems, many of which service small communities of fewer than 10,000 residents.” These water systems have limited budgets – and they also don’t have enough cybersecurity personnel with enough expertise to meet their security needs. Though politicians are recognizing that protecting the water-system is a matter of national security – not enough has been done. “The $1.2 billion infrastructure bill that ultimately passed Congress paid more attention to energy and transportation-sector cybersecurity than water protection.”
And the water-system is not alone with its vulnerabilities. The electrical grid can be hacked too. We’re watching as Russia hacks Ukraine’s electrical grid and we saw Belarusian Cyber Partisans announce that “they had breached the computer systems of Belarusian Railways.” What’s to stop nation-state bad actors from hacking the US electrical grid or our transportation systems?
Michael Riley writes in Bloomberg about “a desperate scenario” playing out on Plum Island near New York’s Long Island. The emergency drill: a large part of the power grid goes down, leaving the population in the dark and critical facilities desperate. “A team of utility operators and cybersecurity experts scrambles to get the grid back up, while hackers try to keep it down.” These drills were held by the Defense Advanced Research Projects Agency (DARPA). “Its goal was to expose utilities accustomed to dealing with hurricanes, blizzards, and other challenges to the reality of a successful cyberattack on the U.S. electrical grid,” Riley writes. He continues, “Concern about such an event has been mounting within the U.S. government for years. DARPA began laying the groundwork for its drills in mid-2015, part of a five-year, $118 million project called Rapid Attack Detection, Isolation and Characterization Systems—or RADICS—after chilling congressional testimony the previous year from then-National Security Agency Director Mike Rogers.” Rogers informed lawmakers that hackers had been hard at work trying to break into US power utilities and that Russia “had been caught planting malware in the same kind of industrial computers used by power utilities.” It isn’t a matter of if the US grid will be hit, Rogers warned. It’s a matter of when.
In late December 2021, Riley reported in Bloomberg, “U.S. officials privately warned utilities they could be targeted if relations with Russia deteriorate, telling them their security teams shouldn’t take the holidays off, according to two people familiar with the briefing.” Riley also noted that Secretary of the Army Christine Wormuth recently told reporters that the power grid would also be a target in a conflict with China over Taiwan. Hackers who want to bring down a grid would likely manipulate the computers that keep it in balance. And the people with those skills right now are nation-state actors. And should they go after our networks, it will be considered an “act of war.”
Tucker Bailey writes for McKinsey about the “three characteristics” that make the energy sector especially vulnerable to contemporary cyberthreats:
The Washington Post reports that “Government agencies have imposed new cyber rules on banks, pipelines, rail systems, airlines and airports during just the past six months.” The rules “mostly require the companies to alert government about cyber incidents.” In addition, Congress “is pushing a bipartisan bill to require companies in all the sectors deemed ‘critical infrastructure’ to report to the Cybersecurity and Infrastructure Security Agency when they’re hacked.” And though some in the industry are pushing back against this, many think it doesn’t go far enough.
McKinsey’s Tucker Bailey argues that we need to “apply our work in more cyber-sophisticated industries (e.g., banking, national security) and our on-the-ground international experience with utilities at various stages of technological sophistication” and engage in a three-pronged approach that will help us meet these challenges:
The evidence is in. It’s well past time to get ready to defend against hackers, whether they are nation state actors of hacktivists or people just looking to make money. And as we examine the vulnerabilities of the US water system and power grid, we must look at our own companies too. Are we well protected? Do we have the cybersecurity teams we need to protect our assets and systems and intellectual property? Are educators training their students with the right tools and in the right way?
CYRIN can help. Our eLearning platform is a simple to use web-based training system that has provided comprehensive training to people in charge of the most sensitive networks in the world — America’s military and first responders. We have some of the best content including skills development labs, individual or team exercises, and multiple cyber-attack scenarios. CYRIN’s online interactive virtual training platform is designed to improve the skills of IT, engineering and cybersecurity professionals and learners. Each learner or corporate trainee receives his/her own virtual instance of the CYRIN cyber range and completes “learn by doing” exercises. CYRIN, in a virtual environment, is as close to a real-world experience as you can get.
CYRIN plays out real-life scenarios to help your team, your learners and your company be prepared and protected – for whatever comes next. To see what we can do for your team, contact us for further information and your personalized demonstration of CYRIN.