The water sector has failed in its duty to resist attacks from foreign enemies. That's the blunt message from the Environmental Protection Agency and the President's National Security Advisor.
“Thank you for drawing attention to this important issue.” it is passive aggressive sign off. Today on SB Blogwatch, we avoid the K-word.
Your humble blog watcher has hand-picked the content of these blogs for your entertainment. Needless to say, DEF CON's advice.
Iranian and Chinese finger torture
What is Craic? Sean Lyngaas reports that “Cyberattacks are hitting water systems across the United States.”
“disrupt critical infrastructure”
The White House and the Environmental Protection Agency warned U.S. governors that state governments and water utilities need to strengthen their defenses against the threat. [In a] A letter to the governor from EPA Administrator Michael Regan and National Security Advisor Jake Sullivan said water utilities were not taking “even basic cybersecurity precautions.”
…
In November, hackers broke into industrial equipment at several U.S. water utilities and displayed anti-Israel messages on the equipment, U.S. officials said. The Biden administration blamed the Iranian government. …Chinese state-backed hackers have also breached U.S. water facilities, U.S. officials say. The Biden administration is concerned that Beijing could disrupt critical infrastructure in the event of a conflict.
Wow. “We call on all countries to strengthen cybersecurity in the water sector,” Ionat Argiya added.
“Water sector cyber security task force”
The White House invited state environmental, health, and homeland security officials to a meeting to discuss protecting critical water and wastewater infrastructure. The one-hour virtual meeting, scheduled for Thursday, March 21 at 1:00 pm EST, will focus on the U.S. government's efforts to improve cybersecurity in the water sector, discuss gaps, and discuss state and water sector cybersecurity efforts. Prompt the system to take immediate action.
…
The letter said threats to the water system include groups associated with Iran's Islamic Revolutionary Guards Corps (IRGC). [and] Chinese threat actor Bolt Typhoon. … The White House also announced that the EPA is working with partners in the water sector to identify “near-term actions and strategies to reduce the risk of water systems nationwide to cyberattacks.” announced the formation of a cybersecurity task force. EPA and her CISA provided guidance and resources to improve water system resiliency.
Horse's mouth? Michael S. Regan and Jake Sullivan – “Dear Governor:”
“Basic cybersecurity precautions”
Drinking water and wastewater systems are attractive targets for cyberattacks because they are critical infrastructure sectors of lifelines, but they often lack the resources and technical capacity to implement rigorous cybersecurity practices. I am. … Partnerships with state, local, tribal, and territorial governments are essential for EPA to fulfill this mission. In the spirit of this partnership, we ask for your help in addressing the pervasive and difficult risks of cyberattacks on drinking water systems.
…
In many cases, even basic cybersecurity precautions, such as resetting default passwords and updating software to address known vulnerabilities, are not taken. … Thank you for your attention and cooperation on this important issue.
How did this happen? Mike 137 wants to know:
Are you a little late? The CISA fact sheet recommends:
* Enabling cybersecurity teams to make informed resource decisions
* Effectively apply detection and hardening best practices
* Receive ongoing cybersecurity training and skills development
* Develop a comprehensive information security plan and conduct regular tabletop exercises
* Establish strong vendor risk management
* Ensure performance management results are aligned with cyber objectives
Unless all of this is already in place and operational, it seems to me that it is hopeless to protect yourself from the recommended threats. Why doesn't information security for critical infrastructure work at all?
Is this a left/right malfunction? [Delete as appropriate for your personal narrative.] AmorImpermissus strives to be fair:
To be fair, none Many baby boomers in Congress appear to be aware of the abysmal state of U.S. government agencies' cybersecurity practices. This has been a completely bipartisan abject failure for years, and I'm absolutely insane how no one on either side refuses to give this the attention it deserves.
People will die before anything gets done, but it still won't be enough. ***hole.
Can you see the pachyderm in the drawing room? u/rupiefied asks a question that is far from “stupid”.
This may be a stupid question, but have you ever thought about the possibility that your critical infrastructure is not connected to the internet at all? Because that seems like the easiest solution.
…
Given all the ransomware and all the chaos, it seems like it would be a lot cheaper to hire Greg to monitor the various levels. on site We are available by phone if necessary.
Sounds like a recipe for unexpected results. According to Anonymous Coward, the answer is as follows.
Immediately: Unplug all control systems connected to the Internet. If for some incredibly stupid reason your software won't work without calling mom, just replace it, even if you have to downgrade to an older one that worked perfectly fine.
Time to put on your hat. Mike Wallot reaches for the aluminum foil.
It is unfortunate that data diodes, which enable monitoring of critical infrastructure while making control infiltration (i.e., hacking) physically impossible, are not widely deployed. We knew all along how to do this safely, and yet here we are.
My personal theory on how we got here is: In the late 1970s, it was decided not to push recent advances in capability-based security to the wider world. Because it makes the NSA's job just a little bit harder.
meanwhile, I'm not saying Astro-CCD is “prepper”, but here it is:
I'm glad to be on a well that is controlled by old-fashioned switches and relays.
And finally:
Defcon Hotel Options
Stop Press: Quick Update on Westgate Route
before And finally
you are reading SB blog watch Written by Rich Jennings. Richi handpicks the best blog articles, best forums, and weirdest websites. There's no need for that.Harassing emails may be sent to: @RiCHi, @richij or sbbw@richi.uk. Consult your doctor before reading. Your mileage may vary. Past performance does not guarantee future results. Do not stare into the laser with your remaining eyes. E&OE. 30.
Image source: Jennifer Latuperisa-Andresen (via Unsplash, leveled and cropped)
Recent articles by author
