Cloud CISO Perspectives: Why water security can’t wait

Welcome to the second Cloud CISO Perspectives for July 2024. Today, guest columnist Sandra Joyce discusses the complex response needed to secure drinking water systems from cybersecurity risks.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

--Phil Venables, VP, TI Security & CISO, Google Cloud

Safeguarding the source: Why water security can’t wait

By Sandra Joyce, VP, Google Threat Intelligence, Google Cloud

Clean and reliable drinking water can often be taken for granted. How often do you think about where your water comes from? Or how secure the pipes and infrastructure that delivers it is? When we brush our teeth, nearly all of us are thinking about anything other than the cybersecurity of the computer systems that control municipal water operations, yet more of us should.

Increasingly, we find that water systems are on the frontline of cyberattacks. Some hackers are criminals motivated to deploy ransomware for profit. Some are foreign militaries and intelligence services preparing for future sabotage during wartime. Threats to those systems are America’s cybersecurity Achilles’ heel, and our adversaries appear to know it.

Recently, Russian hackers claimed that they disrupted a water facility in Texas. They posted videos of themselves manipulating the sensitive control systems at Texas water districts and a representative of at least one district publicly confirmed the disruption. The group has murky ties to a Russian military intelligence unit best known as APT44 or Sandworm. As a result, the U.S.Treasury sanctioned two members of the Russian hacktivist group in July 2024 for their roles in cyber operations, which is an important part of the overall strategy to push back on attackers.

APT44 attacked the 2016 U.S. presidential elections, the Pyeongchang Olympics, caused blackouts in Ukraine, and carried out NotPetya, the most expensive cyberattack in history, which disrupted shipping and supply chains across the world.

Hackers from China and Iran have also been targeting U.S. water and wastewater treatment computer systems, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), and the Israeli government. China-linked hackers known as Volt Typhoon have been especially adept at quietly burrowing into position on these systems in the U.S. and its allies in the Asia-Pacific region. They may wait for years, waiting to attack systems and disrupt safe water access “​​in the event of potential geopolitical tensions and/or military conflicts.”

While legacy industrial control systems, such as those that water infrastructure relies on, are designed for reliability and safety, many adversaries can still be stymied by defense-in-depth strategies and the inherent technical challenges of moving from IT networks to operational technology assets. Threat actors who gain access to water control systems often require a deep understanding of the targeted system's engineering, and also must possess the ability to manipulate the system in specific ways — such as disabling safety controls — to achieve their desired adverse effects downstream.

However, less-sophisticated threat actors have shown an increasing interest in targeting critical infrastructure, including water treatment facilities. They may even attempt to use access to support claims of a successful cyberattack for broader messaging and information operations purposes.

Concerns about improving the resilience of critical infrastructure from all hazards, including the role that cybersecurity plays in ensuring resilience, were the subject of a report this February from the President’s Council of Advisors on Science and Technology (PCAST). Google’s Vint Cerf, a member of PCAST, recently wrote in Forbes that in order to meet the challenges facing our water system, we must design “whole sets of systems that support critical infrastructure to operate in expected ways under extreme pressure.”

The PCAST report includes four main recommendations:

• Establish ways to measure resilience, and set performance goals with minimum delivery objectives for critical services integral to daily life, even in the face of adversity from natural hazards, errors, and attacks.
• Support and coordinate research and development to better understand existing infrastructure’s weaknesses, and identify steps forward that can introduce deep resiliency. Deep resiliency should include creating a national critical infrastructure observatory that can map our infrastructure, so that we can outmatch adversaries in discovering and addressing vulnerabilities and concentration risk.
• Break down silos and strengthen government cyber-physical resilience capacity to support the resilience goals of the nation’s critical infrastructure sectors, which can ensure that they can reliably deliver the services that Americans need.
• Develop greater industry, board, CEO, and executive accountability to ensure that infrastructure is reliable and resilient.

While it remains difficult to affect water safety during a cyberattack, temporarily bringing down a system and posting the results on social media is much more feasible. There are more than 153,000 publicly-owned drinking water systems in the U.S., and more than 16,000 wastewater treatment systems. Hackers need to disrupt only a fraction of a percent of those systems to make front page news and cause panic.

IT workers keeping water systems running are outmatched today. Many are highly regulated local monopolies with thin budgets for IT upgrades and security. Few have the technical specialists to counter the best foreign military operations, which can concentrate huge national technical and human resources against their targets. They are armed with slingshots against an immensely powerful Goliath. It’s not a fair fight.

As the incidents above show, threat actors will not constrain themselves just to major population centers. In many cases, rural water systems also support military bases and energy generation. Any hack that disrupted or polluted water would generate the public attention these groups seek. Defending them must be a shared national responsibility.

As former National Cyber Director Chris Inglis said, we need to make it so hard to hack industrial systems that countries and criminals “need to beat all of us to beat any of us.” When it comes to defending America’s clean water supply, that’s something we can all drink to.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

• Learn how to transform your security operations with our new Modern SecOps Masterclass: Enroll in Google Cloud's Modern SecOps Masterclass on Coursera. Learn to enhance and streamline your security operations. Read more.
• How SAIF can accelerate secure AI experiments: The best way to learn AI is to create and test models that might lead to benefits for your organization. Here’s how to do it securely (and with a helpful infographic to get you started.) Read more.
• Cyber Public Health: A new approach to cybersecurity: Cyber Public Health is a new take on cybersecurity that applies lessons from public health to cyber. Learn how Google Cloud is involved with this new approach. Read more.
• Google Distributed Cloud's air-gapped approach to Zero Trust: In a world of escalating cyber threats, even air-gapped clouds aren't safe. Google Distributed Cloud uses Zero Trust to transform air-gapped clouds. Read more.
• Announcing VPC Service Controls with private IPs to extend data exfiltration protection: Learn how MSCI secured its sensitive data while benefiting from Google Cloud’s scalability using VPC-Service Controls, using our new support for private IP protection. Read more.
• Introducing Spanner dual-region configurations for data residency: New Spanner dual-region configurations in Australia, Germany, India, and Japan can span two different regions within the same country. Read more.
• Build user authentication into your gen AI app accessing database: Learn how to implement user authentication in your gen AI app-accessing database. This step-by-step guide can help you safeguard your AI applications. Read more.
• Spanner gets geo-partitioning: With Spanner geo-partitioning, you get the manageability of a single, global database while improving latency for users around the world. Read more.
• Start using IAM group authentication with Cloud SQL for PostgreSQL: Learn about the benefits of IAM group authentication, its use cases, and how to start using IAM group authentication with Cloud SQL for PostgreSQL and Cloud SQL for MySQL. Read more.

Please visit the Google Cloud blog for more security stories published this month.

Threat Intelligence news

• Scaling up malware analysis with Gemini 1.5 Flash: Following our Gemini 1.5 Pro for malware analysis post, we’ve now tested our lightweight Gemini 1.5 Flash model and analyzed its large-scale malware dissection capabilities. Here’s what we learned. Read more.
• You can build a NIST NICE prompt library with Google’s Gemini: We used Google’s Gemini to create a revolutionary solution: a comprehensive library of more than 6,000 AI prompts designed to guide you through the NICE framework. Here’s how it can help. Read more.
• APT45: North Korea’s digital military machine: Learn about APT45, a long-running, moderately sophisticated North Korean cyber operator that has been conducting espionage campaigns since at least 2009. They gradually expanded into financially-motivated operations, and they frequently target critical infrastructure. Read more.
• Whose voice is it anyway? AI-powered voice spoofing can drive next-gen vishing attacks: AI-powered voice cloning can now mimic human speech with uncanny precision. Our Mandiant red team uses the technology to help test defenses. Here’s how organizations should prepare to defend against it. Read more.
• APT41 has arisen from the DUST: In collaboration with Google’s Threat Analysis Group, Mandiant has observed a sustained campaign by APT41 that has targeted and compromised multiple organizations operating in global shipping and logistics, media and entertainment, technology, and automotive sectors. Read more.

Now hear this: Google Cloud Security and Mandiant podcasts

• Is ITDR the missing piece in your security puzzle: Get your acronym decoders ready as Adam Bateman, co-founder and CEO, Push Security, goes deep into Identity Threat Detection and Response with hosts Anton Chuvakin and Tim Peacock. Can it help your organization? Listen here.
• What you need to know about engineering detection, from career paths to scaling SOC teams: Everything you ever wanted to know about being a detection engineer, as Zack Allen, senior director, Detection and Research at Datadog, and the founder of Detection Engineering Weekly, leaves no stone unturned with Anton and Tim. Listen here.
• Defender’s Advantage: What Iranian threat actors have been up to this year: Mandiant APT researcher Ofir Rozmann joins host Luke McNamara to discuss some notable Iranian cyber espionage actors and their activities so far this year. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.