The recent attack on American Water Works Co., the country’s largest publicly traded water utility, is the latest example of the growing cyberthreat to water systems and other critical infrastructure that gained national attention in 2021 with the ransomware attack on Colonial Gas and has been an ongoing focus of the federal government.
Critical infrastructure systems were a central part of President Biden’s 2021 executive order to strengthen the United States’ cybersecurity, with federal agencies like CISA laying out guidelines and policies that organizations in such sectors as water and wastewater, telecommunications, energy, healthcare, and financial services should follow.
Such threats have been put under a brighter spotlight in recent months as federal intelligence agencies have detected campaigns by China-sponsored threat groups to infiltrate networks and systems within such industries and other efforts by nation-state hackers from Iran and elsewhere to disrupt operations.
The water and wastewater infrastructure in the United States and even in other countries has been hard hit by hackers in recent years, with American Water being the latest victim. The New Jersey-based company, which delivers services to more than 14 million people in 14 states, detected an attack in its network that forced it to shut down its customer billing system and other customer-facing websites.
In a filing with the U.S. Securities and Exchange Commission (SEC), company officials wrote that “none of its water or wastewater facilities or operations have been negatively impacted by this incident.”
Other Attacks on Water Systems
The attack on American Water follows similar incidents in the industry. Most recently, officials in Arkansas City, Kansas, late last month reported a cyberattack at its water treatment facility, which forced them to switch to manual operations. In January, water and wastewater systems operator Veolia also came under attack.
Late last year, the Municipal Water Authority in Aliquippa, Pennsylvania, came under attack likely by the Iranian threat group CyberAv3ngers, which used programmable logic controllers (PLCs) developed by Unitronics to take control of a system that monitor water pressure for nearby towns. Iranian bad actors also were behind other attacks on water systems that U.S. law enforcement was investigating.
Around the same time of the Veolia attack, several U.S. agencies released guidelines to help water and wastewater system operators better respond to cyberattacks.
In December 2023, Microsoft issued a report about the need to harden the security of water and wastewater systems, noting that the importance such systems play in the daily lives of Americans also is fueling the growing cyberattacks on them, which are bound to increase as they become more connected and digitized.
“The vulnerability and the criticality of water and wastewater systems make them prominent targets for both profit-seeking cyber criminals as well as geopolitical rivals exploiting a new domain of conflict,” Microsoft wrote in the report. “Addressing the cybersecurity gaps of this expansive critical infrastructure sector will require robust communication and cooperation across the public and private sectors at every level.”
Convergence of IT and OT a Concern
The ongoing convergence of IT and operational technology (OT) systems is helping to drive efficiencies and lowering costs for organizations, but it’s also creating vulnerabilities that threat actors can take advantage of. OT networks typically have been kept separate from IT systems and from the internet and other networks, historically making them difficult for hackers to access.
However, businesses are increasingly converging their IT and OT networks to drive efficiencies in processes and provide remote support. There also is greater availability of IP-enabled devices and cheaper commercial off-the-shelf software (COTS), according to the Global Security Alliance.
The convergence also comes with security risks, with OT becoming more vulnerable to weak security measures and attacks by increasingly sophisticated threat groups armed with such technologies as generative AI and backed by nation-states.
A Need to Strengthen Protections
Organizations need to harden their defenses as the risk landscape expands, creating opportunities for MSPs and MSSPs.
Craig Birch, principal security engineer and technology evangelist at Microsoft security solutions startup Cayosoft, said “poor identity hygiene” is a key reason such systems are exploited, with many that still rely on outdated technologies that can’t support such technologies as multi-factor authentication (MFA), which leaves them vulnerable to credential-based attacks.
“In numerous cases, water utilities and critical infrastructure operators continue to use default system credentials, active credentials tied to stale or orphaned accounts and allow unmanaged convergence between IT and OT networks,” Birch said.
What they need are such practices as using MFA, managing identity lifecycles to eliminate stale accounts, removing standing privileges, following zero trust principles, and enforcing stricter segmentation between IT and OT networks, he said.
“The rise of sophisticated threat groups, equipped with advanced techniques and a clear focus on critical systems, demonstrates the escalating nature of cyberattacks,” said Ryan Sherstobitoff, senior vice president of threat research and intelligence at cybersecurity fir SecurityScorecard. “These threats underscore the urgent need for organizations to reassess their cybersecurity strategies, reinforce defenses, and embrace a zero-trust mindset to safeguard essential services.”
