- A cyberattack against the country’s water system could damage infrastructure, disrupt water supply or flow, alter chemical levels and contaminate public drinking water.
- The latest wave of attacks on water utilities has included water systems in Kansas, Texas and Pennsylvania.
- Disrupting critical national infrastructure has become a top priority for foreign-linked cybercriminals. “All water and wastewater systems, large and small, urban and rural, are at risk,” an EPA spokesperson said.
Houston Chronicle/Hearst Newspapers via Getty Images | Hearst Newspapers | Getty Images
The City of Wichita recently experienced something that is becoming all too common: its water system was hacked. The cyberattack, which targeted water meters, billing, and payment processing, follows a string of attacks targeting water utilities across the US in recent years.
The hackers targeting America’s water aren’t doing anything special. Despite growing concerns about AI being used in cyber threats, Ryan Witt, vice president of cybersecurity firm Proofpoint, says criminals are still getting into systems through “old-fashioned” cyberattacks that exploit human weaknesses, like phishing, social engineering, or systems that run with default passwords.
In response to a rise in cybercrime targeting critical infrastructure, the Environmental Protection Agency issued an enforcement alert warning that 70% of the water systems it inspected were not fully compliant with the requirements of the Safe Drinking Water Act. While the EPA did not provide exact figures, it said some of the systems had “serious cybersecurity vulnerabilities,” including default passwords that had not been updated, weak single-login settings, and former employees who retained access to the systems.
Witt said the methods may be simple, but the attacks last year by Iranian-backed activists on 12 U.S. water utilities – all of which featured Israeli-made equipment – showed how deliberate the “attacker mindset” can be.
The FBI, NSA and CISA all expressed concerns
In February, the FBI warned Congress that Chinese hackers had penetrated deep into U.S. cyber infrastructure, seeking to target and damage water treatment plants, power grids, transportation systems and other critical infrastructure. In January, a water filtration facility in Mule Shoe, a small Texas town near a U.S. Air Force base, was hacked in part by Russia, causing water tanks to overflow. “Water is one of the most immature areas in terms of security,” Adam Ailes, head of cybersecurity at the Chertoff Group, recently told CNBC.
The psychological impact on residents is also a strategic aim, as evidenced not only by the targeting of water resources but also by the hack of the Colonial Pipeline, which made national headlines in 2021 and, in the words of the Federal Cybersecurity and Infrastructure Security Agency, “snake lines of cars at gas stations along the East Coast and panicked Americans filling bags with gas, fearful that they would not be able to go to work or send their children to school.”
Attacks on the IT systems of U.S. water utilities could have a similar psychological effect, undermining public confidence in their water supply even if they don’t directly interfere with the utilities’ operations. No hacks have so far resulted in water being cut off to residents, but that’s a bigger concern, said Stuart Madnick, a professor of engineering systems at MIT and co-founder of MIT Sloan’s cybersecurity program.
Interfering with water supply through an attack targeting IT (information technology), as happened with the Wichita system, is a small thing compared to a successful attack on the OT (operational technology) that controls the water supply, which Madnick said is a big risk and the threat of it happening is non-zero.
“We’ve demonstrated in the lab that we can shut down things like water treatment plants, not just for hours or days, but for weeks at a time. It’s definitely technically possible,” he said.
Recent letters sent to governors by EPA Administrator Michael Regan and National Security Advisor Jake Sullivan detail the urgency of this threat. But Madnick worries about whether the government can act quickly and forcefully to stop this from happening. Budgets, outdated infrastructure and a reluctance to tackle what seems like a big, hard problem suggest that solutions may not actually come quickly enough. “It hasn’t happened yet, and it will have to happen before we take serious action to prevent it,” he said.
Outdated water technology
Like any modern system, water utilities rely on technology to monitor, operate and communicate with customers. Technology creates vulnerabilities for both providers and users, creating an urgent need for stronger security measures. “Community risks from cyberattacks include attackers gaining control over system operations to damage infrastructure, disrupt water supplies or flows, or alter chemical levels, which could result in untreated wastewater being discharged into waterways or contaminating drinking water supplies to communities,” an EPA spokesperson said.
Witt says there are some steps that can be taken first to improve the cyber hygiene of older systems. “Increasing password strength, reducing exposure to the internet, and the need for cybersecurity awareness training” would go a long way to shore up defenses, he said. Another potential solution is to implement so-called air-gapped systems that isolate monitoring and control systems from other networks. The easiest way into these systems is to get hold of the credentials and exploit them, so “a systems administrator shouldn’t be able to access their office systems, like email, and operate the water system control panel from the same laptop,” Witt said.
Most of the attacks that occurred were preventable, according to the EPA. “Failure to adopt basic cyber resilience measures left systems vulnerable to destructive and costly cyber attacks,” an EPA spokesperson said. “All water and wastewater systems, large or small, urban or rural, are at risk,” the spokesperson said.
While AI has not previously been a tool in attacks on water utilities, it is now accompanying coordinated cyberattacks by geopolitical rivals. “Rapid advances in artificial intelligence are providing cyber threat actors with more sophisticated tactics, techniques and procedures to penetrate the operational technologies that manage critical infrastructure facilities,” an EPA spokesperson said. “These attacks have been associated with multiple types of malicious actors, including hackers acting on behalf of or in support of other nations seeking strategic leverage over disruptions to U.S. critical infrastructure.”
