By Jay Landers

Although cybersecurity threats to U.S. infrastructure are not new, the nature of the threats appears to be evolving. Once primarily the work of individual hackers or organized crime groups looking to extract ransoms from hacked entities, cyberthreats now are also the handiwork of nations looking to harm the U.S., if not today then potentially in the future.

At a recent House committee hearing, federal officials gave ominous warnings about ongoing efforts by the Chinese government to infiltrate U.S. infrastructure via weaknesses in cybersecurity systems. The goal of such efforts, the officials declared, is for the Chinese government to gain the ability to harm vital U.S. infrastructure sectors in the event of a major conflict between the nations. Meanwhile, a separate House hearing, held the same day, focused on how best to ensure cybersecurity among the many thousands of U.S. drinking water and wastewater treatment systems, which can differ significantly in terms of resources and technical capability.

Lurking threat

On Jan. 31, the House Select Committee on the Strategic Competition between the United States and the Chinese Communist Party held a hearing to assess cyberthreats to U.S. security from the Chinese government. The outlook among participants was grim.

In recent years, U.S. intelligence and cybersecurity agencies “have discovered that the CCP has hacked into American critical infrastructure for the sole purpose of disabling and destroying our critical infrastructure in the event of a conflict – a conflict over Taiwan, for example,” said Rep. Mike Gallagher, R-Wis., the chair of the committee, according to a transcript of the Jan. 31 hearing released by the committee.

Gallagher did not mince words in describing the nature of the cyberthreats posed to U.S. infrastructure by China. “This is the cyberspace equivalent of placing bombs on American bridges, water treatment facilities, and power plants,” he said. “There is no economic benefit for these actions. There is no pure intelligence-gathering rationale. The sole purpose is to be ready to destroy American infrastructure, which would inevitably result in chaos, confusion, and potentially mass casualties.”

As part of an effort by a group known as Volt Typhoon, the Chinese government has been working to infiltrate U.S. infrastructure systems since 2021, said Rep. Raja Krishnamoorthi, D-Ill., the ranking member of the committee, at the hearing.

“CCP hackers accessed computer systems of about two dozen critical entities, including in Hawaii and in Guam,” Krishnamoorthi said. “The hackers even attempted to access the Texas electric grid. The purpose of the hacking was not to gather intelligence. The purpose was to install malware that, once activated, would disrupt or damage the infrastructure.”

Ultimately, these efforts amount to “targeting Americans,” Krishnamoorthi said. “This means we could suffer large-scale blackouts in major cities. We could lose access to our cell towers and the internet. We could lose access to clean water and fuel.” Addressing these threats will require thoroughly searching for the presence of possible malware in U.S. infrastructure systems, Krishnamoorthi said. “We need to discover and destroy all malicious code the CCP is attempting to hide within our networks and our critical infrastructure.”

Beating back a botnet

Testifying at the hearing, FBI Director Christopher Wray announced a successful operation to disrupt the hacking efforts of Volt Typhoon. Working with other federal agencies, the FBI “identified hundreds of routers that had been taken over by the (People’s Republic of China’s) state-sponsored hacking group known as Volt Typhoon,” Wray said. “The Volt Typhoon malware enabled China to hide, among other things, preoperational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors – steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous.”

The operation “disrupted a botnet of hundreds of U.S.-based small office/home office routers” that had been hijacked by Volt Typhoon hackers sponsored by the Chinese government, according to a Jan. 31 news release from the U.S. Department of Justice. A botnet is a network of computers linked together by malware.

The hackers “used privately owned (small office/home office) routers infected with the ‘KV Botnet’ malware to conceal the PRC origin of further hacking activities directed against U.S. and other foreign victims,” the release stated. “These further hacking activities included a campaign targeting critical infrastructure organizations in the United States and elsewhere.” In May 2023, the U.S. Cybersecurity and Infrastructure Security Agency issued an advisory warning about cyberthreats posed by Volt Typhoon.

“The vast majority of routers that (constituted) the KV Botnet were Cisco and NetGear routers that were vulnerable because they had reached ‘end of life’ status; that is, they were no longer supported through their manufacturer’s security patches or other software updates,” according to the Justice Department news release. “The court-authorized operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet.”

Evolving problem

The Volt Typhoon actions are just the latest in a line of previous efforts by the Chinese government to infiltrate U.S. infrastructure, said CISA Director Jen Easterly in her testimony to the House committee. “We have long been focused on the cyberthreat from China,” Easterly said. However, recent years “have seen a deeply concerning evolution in Chinese targeting of U.S. critical infrastructure,” she noted.

“Leveraging information from our government and industry partners, CISA teams have found and eradicated Chinese intrusions in multiple critical infrastructure sectors, including aviation, water, energy, (and) transportation,” Easterly said.

In fact, a recent report by U.S. and allied security agencies determined that the Chinese hackers targeting U.S. infrastructure “have had access to some of their targets’ computer networks for ‘at least five years,’” according to a Feb. 7 CNN story.

Implementing solutions

Although cyberthreats are real and pose definite risks to U.S. infrastructure, solutions to address the threats typically are not difficult to implement, Easterly said. A key part of such efforts is “basic, basic, basic cyber hygiene,” she said. “It’s not rocket science.”

At the same time, owners and operators of infrastructure should avail themselves of resources provided by CISA, Easterly said. “Every critical infrastructure entity should establish a relationship with their local CISA team and take advantage of our free services, including vulnerability scanning, to ensure they can identify and prevent the vulnerabilities that the Chinese cyber actors are using.”

Adhering to CISA’s cybersecurity performance goals and the advisories from CISA and its partner agencies also can help agencies improve cybersecurity, Easterly noted. “Every critical infrastructure entity needs to double down on resilience,” she said.

On Feb. 21, CISA, the FBI, and the U.S. Environmental Protection Agency released a joint fact sheet outlining steps for the water and wastewater sector to take to improve cybersecurity. Titled Top Cyber Actions for Securing Water Systems, the fact sheet highlights eight key actions to protect against cyberthreats.

A focus on the water sector

Also on Jan. 31, the Subcommittee on Environment, Manufacturing, and Critical Materials of the House Committee on Energy and Commerce held a hearing titled Ensuring the Cybersecurity of America’s Drinking Water Systems.

The U.S. has nearly 50,000 community water systems and more than 16,000 publicly owned wastewater treatment plants, noted Rep. Buddy Carter, R-Ga., the subcommittee chair, in his opening statement for the hearing. Given the small size of many such systems, water and wastewater agencies often face significant constraints, Carter said. “The water sector frequently operates on legacy technology systems, and small systems regularly lack the financial resources to hire cybersecurity staff,” he said.

In the face of such constraints, greater federal support is needed to enable water and wastewater agencies to improve their cybersecurity efforts, said Scott Dewhirst, P.E., the superintendent and chief operating officer for Tacoma (Washington) Water, speaking on behalf of the Association of Metropolitan Water Agencies.

In particular, Dewhirst noted that AMWA supports legislation pending in the House and Senate that would direct the EPA to develop a program to facilitate greater participation of water and wastewater agencies with the Water Information Sharing and Analysis Center. A nonprofit organization formed by the EPA and multiple water associations, WaterISAC provides sector-specific security information regarding threats to its members. “As a nonprofit entity with no direct federal funding, the reach of WaterISAC is limited,” Dewhirst said.

Known as the Water System Threat Preparedness and Resilience Act, the legislation cited by Dewhirst was introduced in early March 2023 in the House (H.R. 1367) by Rep. Janice Schakowsky, D-Ill., and in the Senate (S. 660) by Sen. Edward Markey, D-Mass. As of publication time, neither bill had emerged from committee.

Dewhirst and Kevin Morley, Ph.D., the manager of federal relations for the American Water Works Association, voiced support for the concept of a collaborative approach by which the EPA and the water sector would develop cybersecurity requirements in a manner similar to the reliability standards developed for the electricity sector by the North American Electric Reliability Corp.

The collaborative approach proposed for the water sector “builds on a similar model that has been applied in the electric sector very effectively with congressional approval,” Morley said.

This article is published by Civil Engineering Online.