Drinking water in America is being targeted, with connections to China, Russia, and Iran.

• Attacks on the country's water infrastructure could harm the availability and flow of water, and contaminate the public drinking water supply.
• Systems in Kansas, Texas, and Pennsylvania were targeted in a recent series of attacks on water utilities.
• Foreign-linked cyber criminals have made taking out critical national infrastructure a top priority, with drinking water and wastewater systems being at risk, regardless of their size or location.

Recently, the City of Wichita faced a common issue - its water system was hacked during a cyberattack that targeted water metering, billing, and payment processing. This attack followed the targeting of water utilities across the U.S. in recent years.

Despite the growing concern over AI-based cyber threats, the primary method of gaining unauthorized access to systems remains exploiting human weaknesses, such as phishing, social engineering, or using default passwords - traditional cyberattacks, according to Ryan Witt, vice president of Proofpoint.

The Environmental Protection Agency issued an enforcement alert warning that 70% of water systems it inspected do not fully comply with requirements in the Safe Drinking Water Act due to rising cybercrime targeting key infrastructure. The EPA did not provide an exact number but stated that some systems have "alarming cybersecurity vulnerabilities," including default passwords that have not been updated, vulnerable single login setups, and former employees who retained systems access.

An attack by an Iranian-backed group against 12 U.S. water utilities last year, which targeted equipment made in Israel, highlighted the intentional nature of an attacker's mindset, according to Witt.

FBI, NSA, CISA all express concern

In February, the FBI warned Congress that Chinese hackers have infiltrated the United States' cyber infrastructure with the intention of causing harm, targeting water treatment plans, the electrical grid, transportation systems, and other critical infrastructure. A Russian-linked hack in January of a water filtration plant in Muleshoe, Texas, caused a water tank to overflow. Adam Isles, head of cybersecurity practice for Chertoff Group, recently stated that "water is among the least mature in terms of security."

The objective of influencing the public's psychological state is also a key consideration, as demonstrated by the targeting of water resources and the Colonial Pipeline hack, which caused widespread panic among Americans and resulted in long lines of cars at gas stations across the eastern seaboard.

Cyberattacks on U.S. water utilities' IT systems can have a similar psychological impact on public trust in water supply, even if they don't directly affect the operations of the utility. According to Stuart Madnick, an MIT professor of engineering systems and co-founder of Cybersecurity at MIT Sloan, the bigger concern is the possibility of a hack that shuts off water to a population. No such attack has occurred to date.

A successful attack on the OT that controls water plants poses a massive risk, while meddling with a water supply through attacks targeting IT is minor in comparison, according to Madnick. The threat of such an attack happening is not zero.

Our lab has shown that operations like a water plant can be shut down for weeks, as it is technically feasible, according to him.

The EPA Administrator and National Security Advisor have sent a letter to governors detailing the urgency of the threat. However, Madnick is concerned about the government's ability to act quickly and robustly enough to prevent such an occurrence. He believes that budget constraints, outdated infrastructure, and reluctance to move on an issue that may seem both vital and daunting suggest that the fixes may not come quickly enough. Madnick stated, "It has not happened yet, and serious action to prevent 'likely' will not happen, until after it has happened."

Outdated water utility technology

Water utilities use technology for monitoring, operations, and customer communication, but this technology also creates vulnerabilities for both providers and users. As a result, there is a need for enhanced security measures to protect against cyberattacks that could harm the community. An EPA spokesman stated that the risk of cyberattacks includes an attacker gaining control of the operations of a system to damage infrastructure, disrupt the availability or flow of water, or altering the chemical levels, which could allow untreated wastewater to be discharged into a waterway or contaminate drinking water provided to a community.

Witt suggests that improving password strength, reducing exposure to public-facing internet, and providing cybersecurity awareness training are crucial steps in securing outdated systems. Additionally, deploying air-gapped systems that separate supervisory and control systems from other networks can help prevent unauthorized access and exploitation. A systems admin should not be able to access office systems and control panels from the same laptop, according to Witt.

The EPA spokesman stated that the majority of attacks that have occurred could have been prevented if basic cyber resiliency practices had been adopted. He emphasized that all drinking water and wastewater systems, regardless of size or location, are vulnerable to cyberattacks.

AI is becoming an increasingly important tool for cyberthreat actors targeting water utility attacks, as rapid advances in artificial intelligence are giving them more sophisticated tactics, techniques, and procedures to penetrate operational technology that controls critical infrastructure facilities. These attacks have been linked to a variety of malicious actors, including hackers working on behalf of or in support of other nations who could use disruptions to U.S. critical infrastructure to their strategic advantage.