FBI director warns of CCP cyber attacks days after CISA guidance issued

In January, testifying before the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party, FBI Director Christopher Wray warned Chinese hackers are preparing to “wreak havoc” on critical U.S. infrastructure.

In his remarks, Wray specifically mentioned water as a critical system that could be vulnerable to attack.

“There has been far too little public focus on the fact that PRC [People’s Republic of China] hackers are targeting our critical infrastructure — our water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems — and the risk that poses to every American requires our attention now,” Wray said in his opening statement.

“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities,” he continued. “If or when China decides the time has come to strike, they’re not focused solely on political or military targets. We can see from where they position themselves, across civilian infrastructure, that low blows aren’t just a possibility in the event of a conflict. Low blows against civilians are part of China’s plan.”

Regarding the water sector, the director’s remarks come days after the Cybersecurity and Infrastructure Security Agency (CISA), FBI and U.S. Environmental Protection Agency (EPA) published a guide to assist water and wastewater owners and operators in cyber incident response. It provides information about federal roles, resources and responsibilities for each stage of the response lifecycle. The guidance was developed in collaboration with more than 25 water/wastewater sector, nonprofit and state/local government partners.

“Cyber threats to the water sector represent a real and urgent risk to safe drinking water and wastewater services that our nation relies on,” said EPA Assistant Administrator for Water Radhika Fox.

“The water and wastewater systems sector is under constant threat from malicious cyber actors,” added CISA Executive Assistant Director for Cybersecurity, Eric Goldstein. “This timely and actionable guidance reflects an outstanding partnership between industry, nonprofit, and government partners that came together with EPA, FBI and CISA to support this essential sector. We encourage every [water and wastewater systems] entity to review this joint guide and implement its recommended actions.”

In testimony, Wray described a Chinese government-backed cyber operation called “Volt Typhoon” that comprised “hundreds of routers,” enabling China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure including from the water sector. The FBI and the U.S. Justice Department said in January it took steps to shut down Volt Typhoon, but the threat of hackers still remains, CNN reported.

John Sullivan, chief engineer at Boston Water and Sewer Commission and chairman of the Board of Managers for WaterISAC, the organization that manages and shares threat information for the water sector, told WF&M in 2022: “Since water and wastewater provide the most basic service for daily survival, they are attractive targets…all critical infrastructure is vulnerable, even the most well financed and technically sophisticated. This is in part due to the evolving capabilities of hackers.”

WaterISAC advises utilities have cybersecurity incident response plans with constant employee awareness training. Some of its primary recommendations for protecting against cyberattacks include:

  • Multi-factor authentication;
  • Anti-virus and anti-malware programs;
  • Enabling spam filtering to prevent phishing emails from getting through;
  • Keeping software up-to-date and filtering network traffic that monitors threat indicators; and
  • Developing and being prepared to implement incident response plans

In October 2023, EPA withdrew plans to require water systems to incorporate cybersecurity audits as part of utility sanitary surveys. Industry associations and utility leaders pushed back against the plan, saying surveys would ultimately be ineffective at improving cybersecurity at water systems and called for a collaborative approach to cybersecurity in the sector.

Leave a Reply

Your email address will not be published. Required fields are marked *