Cybercriminals Targeting American Water Infrastructure, Feds Say
March 27, 2024 Alex Woodie
Overseas cybercriminal groups are ramping up their attacks on American infrastructure, including drinking water and wastewater systems, the White House Government warned last week. Considering that many local water districts rely on the IBM i server, this should serve as a wakeup call for them to bolster security before it’s too late.
In a letter addressed to the governors of all 50 states, EPA Administrator Michael Regan and Jake Sullivan, assistant to the president for National Security Affairs, warned that government security professionals have detected attacks on water systems coming from China and Iran.
One of the attack vectors was traced to Iran’s Revolutionary Guard, which worked with cybercriminal affiliates to compromise water districts’ programmable logic controllers (PLCs) that used default password, the two Federal officials wrote in the March 18 letter, which you can read here.
The government of China, meanwhile, is working with a hacking group called Volt Typhoon to “pre-position themselves to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflict,” the officials wrote.
Volt Typhoon has already successfully established itself in American infrastructure, according to Andrew Scott, an associate director for China operations at the Cybersecurity and Infrastructure Security Agency.
“[Chinese] cyber actors have been on our critical infrastructure networks for in some cases up to the last five years,” Scott said last week at a cybersecurity meeting, according to this story in Statescoop. “They have the access that they need, and if the order was given, they could disrupt some services in this country right now.”
Our adversaries are targeting drinking water and wastewater systems because they’re critical pieces of infrastructure “but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” Regan and Sullivan wrote in the March 18 letter.
“We need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices to identify any significant vulnerabilities, deploy practices and controls to reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to, and recover from a cyber incident,” the officials wrote.
To help local water districts bolster their security against these and other cyberattacks, the EPA has established best-practice guidelines, which include security assessments, planning, training, response, and funding components. You can read more about those resources here.
The targeting of water infrastructure recalls an alarming incident from Verizon’s 2016 Data Breach Report. In that incident, a “hacktivist” group had compromised a front-end Web server exposed to the Internet, which, through poor configuration, allowed them to gain access to the water district’s supervisory control and data acquisition (SCADA) application. That AS/400-based SCADA application operated valves that controlled the flow of water and chemicals. The cybercriminals manipulated the valves, but didn’t cause any harm before being discovered.
We don’t know exactly how many water districts are using the IBM i server, but we can make ballpark guesses. A quick search of the ALL400s list of IBM i shops revealed about 40 water districts and wastewater organizations in the U.S. and Canada as users of the platform.
IBMi is one of the most securable platform. Concepts like “adopted authority” allows the design of a very strict and transparent surface to the data (where authority is given to a *PGM to access data not directly to the generic user identity). And exit programs are pretty powerful. Yes, it requires some design beforehand, like everything.
Anyway, avoiding exposing resources to the internet can deter 99.9% of some naive attacks in practical terms. And some basic firewalling and network segmentation.
Then, there are really sophisticated attacks, but those are a minority and cost money to realize.
The problem now I see in geopolitics equilibrium is that internet runs on a well behaved presumption of international cooperation, i.e. the BGP system…. it can be used in some way to divert traffic in malicious way (it was already done) between countries.
The exposure of water districts to bad actors is just a small part of the problem when it comes to unsecured AS400 systems in the government arena. At least 20 states and numerous county and city government systems are at risk.
For example, imagine if all of the computers used by the city of New York were simply shut down without warning (it uses the AS400). It could have far more devastating consequences than an attack limited to water districts.
Click on this link and then options 12 or 13 to see just a few of the government organizations that could be at risk if their AS400s aren’t secured – https://www.all400s.com/every00.html
I’ll be adding a page showing county governments who use an AS400 that could be at risk shortly.
By the way, judging by their public budget documents many of these state, county, and city level governments are using an iSeries, not the IBM i.