On May 20, the US Environmental Protection Agency (EPA) issued an enforcement alert highlighting the serious threat faced by US water utilities and outlined the steps needed to comply with the Safe Water Drinking Act (SWDA) in order to protect the American drinking water supply. The enforcement alert follows a May 1 fact sheet published jointly by numerous US government agencies, including the EPA, FBI, NSA, and CISA, as well as the Cybersecurity Centers for the UK and Canada providing recommendations for defending against ongoing operations by pro-Russia hacktivist targeting operational technology. This also includes alerts and advisories warning about nation-state actors targeting critical infrastructure, particularly by Russia, China, and Iran, as these countries seek to infiltrate industrial control systems and loiter with the goal of conducting large-scale disruptive attacks in the event of a geopolitical conflict.
As the pace, complexity, and efficiency of these attacks has increased, so has the threat to those organizations involved with the critical infrastructure sectors, directly or indirectly. The bevy of government advisories offer a variety of robust and detailed mitigation recommendations, and there is one common thread across all of them: password security. The recommendations include never using default passwords and always using complex, unique passwords for every account. Failure to follow these recommendations offers points of entry for malicious actors. In its recent enforcement alert, the EPA noted over 70% of the systems it inspected since September 2023 violated the SWDA requirements, with many of those issues involving failure to change default passwords and the use of single logins for all staff. Again, we wanted to call attention to this continuing issue that is presenting weak spots within critical infrastructures given the potential ramifications (most recently in relation to the US government reporting on China’s VOLT TYPHOON here).
The perennial issue of reused, simple, and default passwords, combined with the continued drumming of the US, UK, Australian, and New Zealand governments on the importance of complex and unique credentials, once again underscores the need for all organizations, particularly those with a role in supporting critical infrastructure, to implement and enforce secure password policies across their infrastructure. This includes not just endpoints, but operational technology and industrial control systems, as well. The increasingly dangerous cyber threat environment in conjunction with the central role these organizations play in society demand the utmost security, not only to protect themselves, but those who rely on them.
