Justin Sullivan/Getty Images
A water tower stands above homes along the banks of the Mississippi River on October 12, 2023 in Port Sulfur, Louisiana. Recently, international hackers have targeted water infrastructure in small American towns, including Texas and Pennsylvania.
CNN —
It was recently reported that a group called Cyber ​​Army of Russia Reborn posted a video on their Telegram channel on January 18th that shows them manipulating the controls of a Texas Water Authority water tank. Specifically, they remotely controlled a water level gauge to turn on a water pump, flooding a water tank in the small town of Muleshoe. The Town of Abernathy also reported a hack into its water system, and the Towns of Lockney and Hale Center announced that hackers attempted to penetrate their water infrastructure without success.
Dragos Co., Ltd.
Robert M. Lee
This became the second cyber threat group to impact U.S. water authorities since November 2023. At this time, CyberAv3ngers, a group that exploits vulnerable internet-connected operational technology devices, launched a global attack against multiple water utilities, including infiltrating systems in small towns. Originally from Aliquippa, Pennsylvania.
These attacks are a far cry from hackers defacing government websites, and are sufficiently disconcerting for those trying to protect sensitive portals. Granted, attacks on water systems were not technically sophisticated, but they controlled physical processes.
Cybersecurity experts and the U.S. government agree that hostile governments ideologically aligned with these groups have long sought to attack U.S. critical infrastructure.
Cyber ​​Army of Russia Reborn, as the name suggests, has ties to Russia. And CyberAv3ngers has been linked by government agencies to Iran's Islamic Revolutionary Guard Corps, which the United States designated as a foreign terrorist organization in 2019.
In February, the FBI announced that the Chinese-backed threat group VOLTZITE (also known as Volt Typhoon) is targeting the U.S. and It has been confirmed that critical infrastructure around the world has been infiltrated. The transportation system dates back to his early 2023.
If the list of powerful hacking groups targeting small and vulnerable infrastructure gives you a Goliath vs. David vibe, you're not alone. The increasing number and intensity of cyberattacks by hostile nation states targeting our critical infrastructure is of paramount concern to the public, industry, and policymakers alike. Hackers have different motivations. They include espionage and reconnaissance, deterrence through demonstrations of capability, and actual disruption of critical services.
Unlike David, who was ready to take on Goliath, our most vulnerable critical infrastructure systems, including our water infrastructure, are not. In fact, as water utilities modernize, they actually become more vulnerable to attack.
Today's landscape is dotted with old, even outdated systems that are not digital and not connected to the internet. Repairing and replacing aging water infrastructure is a top priority for the water industry and lawmakers, which means significantly more connectivity through internet-enabled devices, providing new access points for attackers. To do. They will also start sharing more of the same systems, allowing attackers to launch the same attack against multiple facilities instead of having to customize attacks for each facility.
However, given that new technology is the only option to replace aging systems, and given the operational and financial benefits of digital transformation, there is no need to go back and leave all water utilities completely disconnected. , manual operation is impractical.
The water attacks we have seen so far have not seriously affected the people they serve. However, both Cyber ​​Army of Russia Reborn and CyberAv3ngers used simple techniques, such as abusing default passwords, in recent attacks.
Make no mistake, if state-led adversaries (of which there are many threat groups backed by Russia, China, North Korea, and Iran) use more sophisticated tactics to disrupt water; The consequences can be serious.
The low level of cybersecurity in some water utilities has not only given threat groups access to their systems, architecture, and how to control future attacks on the following facilities with vulnerable systems. I was given the opportunity to learn. Given how these groups are investigating the operations and weaknesses of our systems, how they could actually disrupt water treatment processes, degrade water quality, or harm people. I predict that there will be cyber-attacks in the future that cause physical damage to systems.
According to the EPA, 90% of the nation's community water systems are small public systems that serve 10,000 or fewer customers. As water industry representatives and legislators have advised, there is often a lack of sufficient funding to maintain new equipment and technology, or cybersecurity personnel and services. As a result, they face a growing threat environment without the expertise and technology to fully address cybersecurity risks, including threats to operational technologies such as the industrial control systems that operate water pumping stations. .
Government and industry must work together more closely than ever to protect critical infrastructure and services, including water. The Department of Homeland Security Cybersecurity and Infrastructure Security Agency, FBI, National Security Agency, Environmental Protection Agency, and other agencies regularly share vulnerability recommendations and guidance with industry and other stakeholders.
But water remains at risk. Unlike other critical infrastructure sectors that have well-developed cybersecurity standards, such as electrical systems, which are consistently targeted and are not well-equipped to fund investments, the water sector has We have only just begun our efforts. Many water utilities lack the financial and workforce capacity to even prioritize and act on threat information, let alone build defensible systems.
If we truly want to help water utilities protect themselves from cyber threats, we need to close the resource gap. While it's important to protect your personal water bill information, it's also important to protect your actual water. In other words, cybersecurity must protect not only data systems but also operational technology. Additionally, the cost of investing in cybersecurity must be recoverable through local government budgeting processes.
Get our free weekly newsletter
Utilities cannot be forced to choose between reliability and security. Our community needs both.
But funding doesn't solve everything. Water utilities need quick and easy access to cybersecurity tools and resources. Recent grant programs, such as the Department of Homeland Security's State and Local Cybersecurity Grant Program, are helpful, but there are still hurdles to actually getting the funding, including a long and cumbersome process for federal funds to reach utilities. there is. Vendors are also considering how they can give back to the communities they serve. Critical infrastructure is an ecosystem, strengthening all sectors and supporting national security by supporting the sectors that need it most through tools and information sharing.
As I said in my testimony before Congress in February, we all have the same goal. It's about ensuring safe and accessible water for ourselves, our families, and our communities. we know what we have to do. To actually do that, we need to work together across industry and government. Whether another small town with minimal defenses is targeted, or a more sophisticated attack is launched against a large city's systems, we can't wait for the next attack on our vulnerable water infrastructure. not.
