Concern: Small-town Water Systems in the US at Risk of Cyber Attacks
Cyber threats targeting critical infrastructure are on the rise, posing a risk to small-town water systems in the United States. Explore the potential vulnerabilities and implications with expert insights.
A video was posted on the Telegram channel of a group called Cyber Army of Russia Reborn on January 18. The video showed that they had manipulated controls for water tanks at a Texas water authority. They were able to turn on water pumps by remotely altering water level indicators, leading to a water tank overflowing in the small town of Muleshoe.
Robert M. Lee
Another town, Abernathy, also reported a water system hack. Additionally, hackers attempted to breach the water infrastructure of Lockney and Hale Center, although they were not successful in doing so.
Robert M. Lee
Dragos, Inc.
This was the second cyber threat group to impact US water authorities since November 2023. The first group, CyberAv3ngers, targeted vulnerable internet-connected operational technology devices and launched global attacks on multiple water utilities. They successfully breached systems in Aliquippa, Pennsylvania.
These attacks were different from hackers defacing government websites. While the water system attacks were not technically sophisticated, they managed to take control of physical processes.
Cybersecurity experts and the US government both acknowledge that adversarial national governments, who share similar ideologies with these groups, have been targeting critical infrastructure in the United States.
The Cyber Army of Russia Reborn is affiliated with Russia, as indicated by their name. Meanwhile, CyberAv3ngers has been connected by government entities to Iran's Islamic Revolutionary Guard Corps, which was labeled a foreign terrorist organization by the US in 2019.
In February, the FBI confirmed that the China-backed threat group VOLTZITE, also known as Volt Typhoon, had infiltrated critical infrastructure in the US and around the world in preparation for future attacks targeting not just the water sector but critical communications infrastructure, energy and transportation systems going back to early 2023.
If this list of powerful hacking groups targeting small and vulnerable infrastructure gives you a Goliath vs. David vibe, you are not alone. The growing number and intensity of cyber attacks backed by adversarial nations targeting our critical infrastructure are of top concern to the public, industry and policymakers alike. The hackers’ motives are many: espionage and reconnaissance, deterrence by showing their capabilities, actual disruption of essential services and more.
Our critical infrastructure systems, including water infrastructure, are not prepared for potential attacks. Modernizing water facilities will actually make them more vulnerable to cyber threats.
Currently, many water systems are outdated and not connected to the internet. However, there is a push to upgrade and replace these aging systems. This means that they will become more interconnected through internet-enabled devices, providing attackers with new entry points. Additionally, as systems become more integrated, attackers can launch the same attack on multiple facilities without the need for customization.
This photo from Tipton Municipal Utilities shows the Tipton, Indiana, wastewater treatment plant.
This photo from Tipton Municipal Utilities shows the Tipton, Indiana, wastewater treatment plant.
From Tipton Municipal Utilities
Related article
A Russia-linked hacking group has reportedly claimed to have targeted an Indiana water plant. However, in today's world where aging systems need to be replaced with new technologies, it is not practical to go back in time and keep water facilities completely disconnected or operate them manually. The benefits of digital transformation, both operationally and financially, make it necessary to embrace new technologies for the future of water plants.
The water attacks we’ve witnessed have not caused any major harm to the public. Both Cyber Army of Russia Reborn and CyberAv3ngers utilized basic techniques, like taking advantage of a default password, in their recent attacks.
It is important to understand that if a state-supported enemy - with numerous threat groups supported by Russia, China, North Korea, and Iran - employed more advanced strategies to interfere with water systems, the impact could be significant.
Some water facilities have low levels of cybersecurity, allowing threat groups to gain access and learn about the systems, architectures, and ways to gain control for future attacks on vulnerable systems. It is concerning that these groups have been studying our systems' operations and weaknesses, which could lead to cyberattacks disrupting water treatment processes, corrupting water quality, or causing physical damage to harm people in the future.
According to the EPA, 90% of the nation's community water systems serve 10,000 or fewer customers and are considered small public systems. Water industry representatives and lawmakers have pointed out that these systems often lack sufficient budgets for new equipment, technology, or cybersecurity personnel. This leaves them vulnerable to the increasing threat environment without the necessary expertise and technologies to fully address cybersecurity risks, including threats to operational technology like industrial control systems at water pumping stations.
Government and industry need to work together closely to safeguard critical infrastructure and services, including water. Various agencies like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI, National Security Agency, Environmental Protection Agency share advisories and guidance with industry and stakeholders regularly.
However, the water sector remains vulnerable. While other critical infrastructure sectors have established cybersecurity standards, the water sector is just starting its cybersecurity journey. Many water facilities struggle with limited financial resources and workforce capacity to address threats and enhance their systems' security.
If we want to support water utilities in protecting against cyber threats, we need to address the resource gap. It's crucial to safeguard not only your personal information on your water bill, but also the security of your actual water supply. This requires cybersecurity measures to extend to operational technology, not just data systems. Additionally, the costs for investing in cybersecurity should be included in local government budget planning processes.
Sign up for our weekly newsletter for free!
Sign up for CNN Opinion’s newsletter
Join us on Twitter and Facebook
We believe that utilities should not have to choose between reliability and security. Both are essential for our communities.
However, simply providing funding is not enough. Water utilities require quicker and simpler access to cybersecurity tools and resources. While recent grant programs like the Department of Homeland Security’s State and Local Cybersecurity Grant Program have been helpful, there are still challenges in actually securing funding. The process for federal money to reach utilities is lengthy and cumbersome. Additionally, vendors are exploring ways to contribute to the communities they serve. Critical infrastructure functions as an interconnected system, and by aiding the most vulnerable sectors with tools and information sharing, we can strengthen all sectors and enhance national security.
As mentioned in my testimony to Congress in February, our common goal is to ensure that safe and clean water is readily available for everyone in our communities. It is clear that we already have the necessary knowledge to address this issue, but what is crucial now is collaboration between different sectors, including industry and government, to take action. We cannot afford to wait for another potential attack on our water infrastructure, whether it be a small town with limited defenses or a more sophisticated cyber attack on a major city's water systems.
Editor's P/S:
The article highlights the growing threat of cyberattacks targeting critical infrastructure, particularly water systems, in the United States. The recent incidents involving the Cyber Army of Russia Reborn and CyberAv3ngers demonstrate that adversaries are actively exploiting vulnerabilities in water infrastructure to disrupt essential services. While the attacks have not yet caused significant harm, experts warn that more sophisticated strategies could have severe consequences.
The article also emphasizes the challenges faced by water utilities in addressing cybersecurity risks. Many water systems are outdated and lack adequate funding and expertise to implement robust cybersecurity measures. This vulnerability makes them attractive targets for threat groups. The government and industry need to collaborate closely to safeguard critical infrastructure and provide water utilities with the resources and support they need to protect against cyber threats. By investing in cybersecurity, we can ensure that safe and clean water remains readily available for everyone in our communities.
