An onslaught faces America’s potable water supply, with connections to China, Russia, and Iran

Recently, the city of Wichita, Kansas, encountered a situation that is becoming increasingly frequent — its water infrastructure fell victim to a cyber intrusion. This cyber assault, which was aimed at water metering, billing, and payment systems, occurred following the targeting of water management facilities throughout the United States in recent times.

In their attacks on America’s water systems, hackers are not employing anything exotic. Despite the mounting concerns regarding AI usage in cyber threats, the primary incursion strategy into systems continues to be exploiting human weaknesses, whether through phishing, social manipulation, or gaining access through outdated default passwords – what Ryan Witt, the vice president at cybersecurity company Proofpoint, describes as “traditional” cyberattacks.

The surge in cybercrime targeting critical infrastructure prompted the Environmental Protection Agency to release a cautionary enforcement notice indicating that 70% of water systems it surveyed were not in complete compliance with the regulations outlined in the Safe Drinking Water Act. Without specifying a precise figure, the EPA cited some systems having “disturbing cybersecurity weaknesses” — such as outdated default passwords, susceptible single sign-on configurations, and former employees who maintained access to systems.

While the tactics employed may appear rudimentary, an attack last year by an Iranian-supported activist organization against 12 water utility companies in the U.S. underscored how deliberate “an attacker’s mindset” can be, according to Witt. Notably, the targeted utilities all utilized equipment produced in Israel.

FBI, NSA, CISA express apprehension

In February, the FBI alerted Congress about Chinese hackers infiltrating the cyber infrastructure of the United States to cause harm, prioritizing water treatment facilities, the power grid, transportation systems, and other crucial infrastructure. A hack linked to Russia in January of a water treatment plant in Muleshoe, a small town in Texas located near a U.S. Air Force base, resulted in an overflow in a water tank. “Water security lags behind in terms of protection,” stated Adam Isles, the head of the cybersecurity division at Chertoff Group, as he recently mentioned to CNBC.

The psychological impact on the populace is also a strategic objective, visible not only in the targeting of water resources but also exemplified in the Colonial Pipeline hack that made headlines nationwide in 2021, creating scenarios such as “lengthy queues at gas stations all along the eastern seaboard and anxious individuals filling containers with fuel, fearing a disruption in commuting or school activities,” as described by the federal Cybersecurity and Infrastructure Security Agency.

Although attacks on U.S. water utility IT frameworks can yield a similar psychological effect, even if they don’t directly impede utility operations, they still erode public confidence in water availability. To date, no breach has resulted in water shutdowns affecting a populace, but that remains a significant concern, as expressed by Stuart Madnick, a professor of engineering systems at MIT and a co-founder of the cybersecurity program at MIT Sloan.

Manipulating a water supply through IT-based attacks, like the incident in Wichita’s system, pales in comparison to a successful assault on the OT (operational technology) governing water plants. This constitutes a substantial risk, according to Madnick, and the likelihood of it occurring is not nil.

“In our research facility, we have demonstrated the potential to shut down operations, such as a water plant, not only for hours or days, but for weeks. It is completely feasible,” he remarked.

A recent correspondence from EPA Administrator Michael Regan and national security advisor Jake Sullivan to the nation’s governors elaborated on the urgency of the threat. Nevertheless, Madnick remains skeptical of the government’s capacity to respond promptly or sufficiently to avert such an event. Fiscal constraints, outdated infrastructure, and procrastination on a matter that might seem both critical and overwhelming imply that the requisite remedies may not be enacted swiftly enough. “It has yet to occur, and substantive action to forestall it ‘likely’ won’t be taken until post-occurrence,” he noted.

Obsolete water infrastructure technology

Similar to any modern system, water facilities depend on technology for monitoring, operations, and customer engagement. This technology introduces vulnerabilities — for providers and consumers alike — underscoring the acute necessity for enhanced security protocols. “The communal risk stemming from cyber assaults involves a perpetrator acquiring operational control of a system to impair infrastructure, disrupt water availability or flow, or manipulate chemical levels, potentially leading to the discharge of untreated wastewater into water bodies or the contamination of drinking water supplied to a community,” as stated by an EPA spokesperson.

Witt suggests some fundamental steps to fortify the cyber resilience of outdated systems. “Enhancing password strength, reducing exposure to public-facing internet, and providing cybersecurity awareness training,” would significantly bolster defensive measures, according to him. Another potential solution involves implementing so-called air-gapped systems that isolate supervisory and control systems from other networks. Since the most straightforward route into these systems is through acquiring credentials and then exploiting the system, “An administrator should not be able to access office systems such as email while managing a water system control panel from the same device,” Witt outlined.

Though not yet deployed in prior water utility attacks, AI is emerging alongside the coordinated cyber activities of geopolitical adversaries. “The rapid progression of artificial intelligence is affording cyber threat actors more sophisticated strategies, methodologies, and procedures to infiltrate operational technology managing critical infrastructure facilities,” the EPA spokesperson shared. “These assaults have been linked to various forms of malicious actors, including hackers working on behalf of or supporting other nations that could leverage disruptions to U.S. critical infrastructure for strategic gain.”