A Washington Post article pointed out that there is more nation-state interference in critical infrastructure in the United States. I have written on this topic before. Another Water District has been hacked in Hawaii by the group labeled Volt Typhoon. Although reports suggest that no damage occurred, this does not eliminate the threat.
The Threat is Real
The Post estimates that several facilities have been infiltrated over the last 2 years. Many of the entities attacked fall into the category of critical infrastructure, like water systems, power grids, and power generation facilities. Many of the systems are targets of opportunity. That is, critical infrastructure facilities whose cybersecurity is lax, or where they have vulnerabilities they are not aware of. For example, the breach an Aliquippa Power happened because of an unknown vulnerability in both billing systems as well as the computerized control of their facilities known as SCADA systems.
While the Aliquippa and Hawaii hacks appear to be related to foreign actors, many serious hacks are perpetrated by current or former insiders, like the hack of the water treatment facilities in Discovery Bay California, in 2021. Water Districts need to have rigorous security protocols for both external and internal threats.
Advanced Persistent Threats
Many of the attacks from foreign actors as what’s know as advanced persistent threats.
An Advanced Persistent Threat (APT) is a sophisticated and targeted cyber attack in which an unauthorized user or group gains unauthorized access to a network and remains undetected for an extended period. The “advanced” aspect refers to the use of sophisticated techniques, tools, and strategies to breach security defenses, while the “persistent” aspect indicates the intruder’s ability to maintain a long-term presence within the compromised system.
APTs are typically conducted by well-funded and highly skilled threat actors, often with specific objectives such as stealing sensitive information, conducting espionage, or disrupting critical operations. These attacks often involve a combination of social engineering, zero-day exploits, malware, and other advanced tactics to compromise and maintain access to a target network.
Unlike more opportunistic and short-term cyber attacks, APTs are characterized by their stealth, patience, and determination. The attackers often adapt their strategies to evade detection, regularly updating their tools and techniques to exploit vulnerabilities and avoid security measures. Defending against APTs requires a multi-layered and proactive approach, including robust cybersecurity measures, continuous monitoring, and incident response capabilities.
What does this really mean? Foreign actors who infiltrate a water system are content to sit and wait or do reconnaissance. That is, until the time comes when they receive the signal to move from reconnaissance to attack.
This is reminiscent of the old saying in Cybersecurity, “There are two types of people: Those who have been hacked, and those who do not know they have been hacked.”
CyberSecurity Knowledge is Desperately Needed
As I have mentioned in previous articles, the threat to life and property in Santa Clara County is significant and should not be underestimated. The Santa Clara Valley Water District needs a Director who understands the threat to our watersheds and water systems and can give it the oversight it deserves. Bill Roth is the candidate to do that.