The Chertoff Group

Adam Isles Talks Water Plant Cyber Threats on CNBC

This morning, Adam Isles, Chertoff Group principal and head of Cybersecurity, joined host Becky Quick on CNBC’s Squawk Box to discuss the latest threats to U.S. water critical infrastructure. Earlier this week, the U.S. government warned of nation state cyber threats from Iran and China.

According to White House National Security Advisor Jake Sullivan, “These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”

Isles confirmed the Biden’ Administration’s assessment that more needs to be done to protect water critical infrastructure. Concerns include the availability of water and wastewater treatment, plus the intent by adversaries to create a psychological impact of fear and uncertainty in American communities.

Isles said threats to compromise the water sector are not new and have occurred globally for more than a decade. He mentioned specifically attacks in Israel and Ukraine, and the probing of dam infrastructure here in the United States – in addition to most recent attacks on U.S. water utilities described further below..

There are 50,000 water systems in the U.S. and many operate at a low level of maturity relative to other critical infrastructure sectors. Clearer guidance and more funding and expertise is needed with resiliency not risk elimination as the objective, Isles said.

An attack could potentially play out in varying scenarios from control of water access to the introduction of excess chemicals into the water supply.

A letter to governors from Sullivan described two recent and ongoing threats to water systems:

“Threat actors affiliated with the Iranian Government Islamic Revolutionary Guard Corps
(IRGC) have carried out malicious cyberattacks against United States critical infrastructure
entities, including drinking water systems. In these attacks, IRGC-affiliated cyber actors
targeted and disabled a common type of operational technology used at water facilities where
the facility had neglected to change a default manufacturer password. See Exploitation of
Unitronics PLCs used in Water and Wastewater Systems | CISA for further information on
these attacks.

The People’s Republic of China (PRC) state-sponsored cyber group known as Volt Typhoon
has compromised information technology of multiple critical infrastructure systems,
including drinking water, in the United States and its territories. Volt Typhoon’s choice of
targets and pattern of behavior are not consistent with traditional cyber espionage. Federal
departments and agencies assess with high confidence that Volt Typhoon actors are
pre-positioning themselves to disrupt critical infrastructure operations in the event of
geopolitical tensions and/or military conflicts. See PRC State-Sponsored Actors
Compromise and Maintain Persistent Access to U.S. Critical Infrastructure for further

Sullivan encouraged the states to be vigilant and engage with the Environmental Protection Agency (EPA) and the National Security Council.

Watch Adam Isles’ interview on CNBC.

Let's Talk.

Let's explore ways we can help you manage risk or position for strategic growth.

202.552.5280 | Mon. – Fri. 8:00 AM – 5:00 PM EDT