The unsettling breach of American Water Works Co., which is recognized as the largest publicly traded water utility in the United States, serves as a stark reminder of the expanding cyber threats to essential infrastructure. This incident follows a series of alarming cyberattacks that took place in recent years, marking a significant increase in vulnerabilities that are being scrutinized at the national level.
"The vulnerability and the criticality of water and wastewater systems make them prominent targets for both profit-seeking cyber criminals as well as geopolitical rivals exploiting a new domain of conflict," remarked analysts in a report issued by Microsoft. Their assessment encapsulates the gravity of the threats facing this crucial sector, which provides services to over 14 million residents across 14 states.
"The vulnerability and the criticality of water and wastewater systems make them prominent targets for both profit-seeking cyber criminals as well as geopolitical rivals exploiting a new domain of conflict,"
The latest attack forced American Water to momentarily shut down its customer billing system and other consumer-oriented sites. In a filing to the U.S. Securities and Exchange Commission, company officials emphasized that "none of its water or wastewater facilities or operations have been negatively impacted by this incident," highlighting a potential silver lining amid the chaos.
"none of its water or wastewater facilities or operations have been negatively impacted by this incident,"
This cyber incident isn’t isolated; it follows a troubling pattern of attacks on water systems across the country. Recently, a cyber assault targeted Arkansas City, Kansas, compelling officials to revert to manual operations at its water treatment facility. Furthermore, earlier this year, leading operator Veolia faced its own breach, adding to the growing list of similar incidents.
The recent surge of cyber threats in this domain has drawn explicit attention from the federal government. In 2021, President Biden’s executive order aimed directly at reinforcing the cybersecurity framework of critical infrastructure sectors, particularly those like water and wastewater systems. "Federal agencies like CISA have laid out guidelines and policies that are essential for organizations in these sectors to enhance their cybersecurity posture," officials stated.
"Federal agencies like CISA have laid out guidelines and policies that are essential for organizations in these sectors to enhance their cybersecurity posture,"
The escalation of attacks has been attributed to sophisticated campaigns orchestrated by state-sponsored threat groups, notably those linked to China and Iran. In one notable case, an attack by Iran's CyberAv3ngers on the Municipal Water Authority in Aliquippa, Pennsylvania, demonstrated how geopolitical conflicts can intrude upon essential services. The hackers utilized programmed logic controllers (PLCs) to manipulate systems that monitored water pressure in surrounding areas.
As organizations face an evolving landscape of threats, Microsoft has repeatedly urged the need for enhanced security measures. In their assessments, they noted that the increasing interconnectivity of these systems is likely to lead to a higher volume of cyberattacks. "Addressing the cybersecurity gaps of this expansive critical infrastructure sector will require robust communication and cooperation across the public and private sectors at every level," Microsoft emphasized.
"Addressing the cybersecurity gaps of this expansive critical infrastructure sector will require robust communication and cooperation across the public and private sectors at every level,"
One significant challenge in securing these systems arises from the convergence of IT (Information Technology) and OT (Operational Technology) networks. Historically, OT networks were kept isolated to guard against hacking, but there is a growing trend of integrating these separate systems to improve efficiency. This trend, while economically advantageous, opens up new vulnerabilities that cybercriminals can exploit.
As the situation develops, analysts continue to caution that institutions need to bolster their defenses. The frequency and sophistication of these attacks pose an increasing risk to water systems, which are vital not only for daily life but also for national security. Stakeholders are urged to take the necessary steps to protect this critical infrastructure, as the convergence of technology continues to evolve.
Looking Ahead
Looking ahead, the outlook remains complex. The need for collaboration between public agencies and private sector entities will be paramount in crafting effective strategies to combat these growing cyber threats. The recent attack on American Water serves as a clarion call for immediate action in securing vital infrastructure against the persistent and evolving landscape of cyber threats.