幸运的是,设施通常对内部机制进行手动控制,在设施安全之前仅发生轻微的储罐溢出。该联合公告还发布了许多 OT 漏洞缓解措施,您可以在此处找到这些漏洞 ( PDF )。
Hostile nations seem to be dead-set on damaging critical US infrastructure, as Russia has joined the fray with the likes of Iran and China in launching cyber attacks against water facilities.
Vulnerable operational technology (OT) used in US water and energy infrastructure are prime targets for state-sponsored actors looking to potentially poison water supplies or erode trust in energy reliability, with Chinese-backed probing suspected to be practice for if the two superpowers were to go to war.
A joint advisory issued by 6 US government agencies, as well as the UK’s National Cyber Security Center and Canada’s Center for Cyber Security warns that the water supply is at risk due to unsecured OT devices.
Water versus the world
While most of the attacks against US water facilities by Russia-linked groups only amount to “nuisance effects” and “limited disruption,” the joint advisory warns that there is the potential for threat actors to have considerable control over certain OT environments, particularly those that are “insecure and misconfigured.”
Russia-linked groups have accessed human machine interfaces (HMIs) by breaking into internet-exposed virtual network computing (VNC) using manufacturer-issued default passwords. In 2024, Russian groups have used the above method to augment water pump controls to operate outside of their recommended parameters, turned off the alarm systems that could recognize a potential overflow, and change the access credentials to prevent facility workers from reversing the changes.
Luckily, facilities usually have manual control over the internal mechanisms, with only minor tank overflows occurring before the facilities were secured. The joint advisory also issues a number of OT vulnerability mitigations which can be found here (PDF).
When a crazy pro communist Canadian turns up at a London public piano, engages in blatant harassment and tries to stop the music. #TakeDownTheCCPpic.twitter.com/ZOPDN1cXuF
— Brendan Kavanagh (Dr K) (@brenkav) May 1, 2024
