Cyberattacks Swamp U.S. Water Systems: A Growing Threat

Over the past eighteen months, the United States has witnessed an unprecedented surge in cyberattacks targeting water supply and wastewater management services. Among the perpetrators are cybercriminals, hacktivists, and state-sponsored groups.

In one notable instance, pro-Iranian hackers breached a programmable logic controller (PLC) at a water utility near Pittsburgh, leaving an anti-Israeli message on the display. As a result, water pressure regulation systems had to be switched to manual operation.

Another incident affected an operator serving 500 North American communities. Following a ransomware attack, the connection between IT and OT networks was severed, and customer data was compromised. In October, the largest regulated water utility in the country lost access to its websites and telecommunications network due to a cyberattack.

These incidents have exposed vulnerabilities in water infrastructure, prompting warnings from organizations such as CISA, the FBI, the EPA, and Water ISAC. Most attacks targeted small companies with limited resources, rendering them easy prey. Attacks on larger entities, such as Veolia and American Water, generally impacted only IT systems, avoiding disruptions to water supply.

The challenge in safeguarding these systems lies in the fact that small utilities often lack both the expertise and financial resources to implement advanced security measures. Experts caution that government recommendations for adopting cutting-edge monitoring systems may be overly burdensome for smaller utilities, which prioritize basic infrastructure upgrades like replacing aging pipes.

The expansion of remote access to previously isolated equipment has also heightened risks. PLCs and SCADA systems, which enable remote pump control and alarm monitoring, frequently lack adequate segmentation or secure access. Although manufacturers like Siemens are equipping devices with enhanced security features, these capabilities are rarely utilized.

A significant issue remains the continued use of default factory passwords, which hackers exploit to infiltrate systems. For instance, the Cyber Av3ngers group compromised controllers at a facility in Aliquippa by exploiting default device settings.

Some major integrators, such as Black & Veatch, are already incorporating enhanced security measures into the design of new OT systems. Experts highlight basic steps to bolster security, including the use of unique passwords, multi-factor authentication, data backups, and incident response planning. Additional recommendations include properly configured firewalls and centralized log collection to detect potential threats.