Cyberattacks on U.S. Water Systems: A Growing Threat
The cyberattack on the City of Wichita’s water system, which disrupted metering, billing, and payment processing, is just the latest in a string of attacks targeting critical infrastructure in the United States. The rising tide of cyberattacks on water utilities, coupled with growing concerns about the integration of artificial intelligence (AI) in cyber threats, has raised alarm bells about the vulnerability of our nation’s water supply. While the methods used in these attacks may seem simple, the potential consequences are severe, including the disruption of essential services and the erosion of public trust.
Key Takeaways
- Rising Cybercrime: The targeting of water utilities is part of a broader trend of cyberattacks on critical infrastructure, raising concerns about the resilience of systems vital to national security and public safety.
- Vulnerable Systems: Many water systems are particularly vulnerable due to outdated technology, poor cybersecurity practices, and basic security lapses like default passwords and single-login setups.
- Psychological Impact: Successful cyberattacks on water utilities can have a profound psychological impact on the public, leading to anxiety and distrust in the safety and reliability of the water supply.
- Growing AI Threat: The integration of AI in cyberattacks is rapidly evolving, potentially granting attackers more sophisticated tools and tactics for compromising critical infrastructure.
The Environmental Protection Agency (EPA) has issued an enforcement alert highlighting the severity of the threat, warning that 70% of inspected water systems do not fully comply with the Safe Drinking Water Act’s cybersecurity requirements. The agency emphasizes that vulnerabilities in water systems are "alarming" and call for urgent action to strengthen security measures. The recent attacks, including one against 12 U.S. water utilities linked to an Iranian-backed activist group, underscore that even seemingly simple attacks can have significant consequences.
The Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) have joined the chorus of concern, warning that Chinese hackers have infiltrated US cyber infrastructure, seeking to disrupt critical services including water treatment, power grids, and transportation systems. A Russian-linked hack in Texas in January even caused a water tank to overflow, highlighting the potential for real-world damage.
"Water is among the least mature in terms of security," says Adam Isles, head of cybersecurity practice for the Chertoff Group. The lack of robust security measures, combined with the increasing sophistication of cyberthreat actors, leaves the nation’s water supply vulnerable to potential disruptions.
The threat to water utilities goes beyond simple disruption. Experts warn that a successful attack on the operating technology (OT) that controls water plants could result in extended shutdowns, potentially lasting weeks. "We have demonstrated in our lab how operations, such as a water plant, could be shut down not just for hours or days, but for weeks," says Stuart Madnick, an MIT professor of engineering systems and co-founder of Cybersecurity at MIT Sloan.
The EPA, along with the White House, has urged states to prioritize cybersecurity in their water systems. However, Madnick cautions that government action may be too slow and insufficient to adequately address the growing threat. Outdated infrastructure, limited budgets, and a reluctance to confront the issue head-on may delay critical improvements until after a major incident occurs. "It has not happened yet, and serious action to prevent ‘likely’ will not happen, until after it has happened," Madnick warns.
Addressing the Threat
The vulnerabilities in water systems stem from a combination of factors, including outdated technology and a lack of awareness and training. "The community risk from cyberattacks includes an attacker gaining control of the operations of a system to damage infrastructure, disrupt the availability or flow of water, or altering the chemical levels, which could allow untreated wastewater to be discharged into a waterway or contaminate drinking water provided to a community," says an EPA spokesperson.
Several steps can be taken to bolster the cyber defenses of water utilities. Improving password strength, limiting public-facing internet exposure, and investing in cybersecurity awareness training are all essential first steps. Additionally, organizations can implement air-gapped systems, which physically separate operational control systems from other networks, making it more difficult for hackers to access critical infrastructure.
The EPA stresses that many of the recent attacks targeting water utilities were avoidable. "Systems were victimized by destructive and costly cyberattacks because they failed to adopt basic cyber resiliency practices," the EPA spokesperson said.
While AI hasn’t yet been used directly in attacks on water systems, the rapid advance of AI technology raises serious concerns for the future. "Rapid advances in artificial intelligence are giving cyberthreat actors more sophisticated tactics, techniques, and procedures to penetrate operational technology that controls critical infrastructure facilities," the EPA spokesperson said. "These attacks have been linked to a variety of types of malicious actors, including hackers working on behalf of or in support of other nations who could use disruptions to U.S. critical infrastructure to their strategic advantage."
The growing threat to U.S. water utilities necessitates a comprehensive approach to cybersecurity. Immediate action is required to strengthen defenses, upgrade outdated infrastructure, and raise awareness about the importance of cybersecurity in protecting our essential water supplies. "All drinking water and wastewater systems are at risk — large and small, urban and rural," the EPA spokesperson warns. The failure to address this threat could have severe consequences for our nation’s security and wellbeing.
