From Ukraine to the US, the most precious and vital resources are being targeted by professional hackers with links to foreign governments. Water and wastewater management systems, with weak systems, are vulnerable to cyberattacks, the results of which can be devastating for communities, cities, and entire countries.
Threat actors working with hostile governments have claimed responsibility for several attacks on water source systems across the US, threatening to wreak havoc on people, the environment, and, essentially, the economy.
Experts in intelligence and environmental management have come together to address the issues of vulnerable digital systems for critical infrastructure. Here’s everything we know about this issue so far:
Incidents of Threat Actors Targeting and Gaining Access to Water and Wastewater Systems
Profiled as a politically motivated hack, the US, Poland, and France have recently been the victims of a series of cyberattacks on water systems. This was confirmed by Mandiant, a Google Cloud subsidiary security firm, who believe the hackers are linked to the Russian military.
Water and wastewater systems are vital infrastructure yet are incredibly digitally insecure, and a successful threat actor could tamper with drinking water and wastewater management, wreaking havoc on citizens and businesses and bringing entire economies to a halt.
Mandiant’s report identified a group called Sandworm as the hacking team behind cyberattacks. Sandworm has an official affiliation with the Russian military. Several of these groups have claimed responsibility for multiple cyberattacks on water systems this year alone, and some appear to be taking orders directly from Sandworm.
In January of this year, the Cyber Army of Russia claimed responsibility for the flood in Muleshoe, Texas, caused by controlling water supplies. In corrupting the digital system that controls the water supply, they sent tens of thousands of gallons of water into streets and drain pipes. Around the same time, two other towns in Texas reported malicious activity that was detected over their networks. In their Telegram group, they also claimed to be behind an attempted attack on a wastewater utility in Poland.
In March, the Cyber Army of Russia shared a video in which they claimed to have gained access to a hydroelectric power station in France and were able to change the water levels. French publication Le Monde also reported an attack on a mill that was attributed to the Cyber Army, which they mistook for a hydroelectric dam.
While Russian attack groups have featured prominently, they’re not the only state with cyber militants targeting US water systems. Last year, hackers linked with Iran gained access to six US water utilities.
What has been established is that hostile nations are ramping up attacks against US infrastructure, which is poorly defended. These attacks could have devastating effects on people, the environment, our water supply, and the economy. With a lack of funding and resources to maintain the cybersecurity of these critical infrastructure systems, the US remains vulnerable.
What’s Being Done to Combat These Attacks
Two agencies have come to the fore advocating for the enhancement of security for our water and wastewater digital systems: the US Environmental Protection Agency (EPA) and the National Security Agency (NSA). They’ve both issued warnings to state governments urging them to do more.
In a joint letter submitted to governors, they’ve requested that all water systems be protected by conducting assessments of their implemented cybersecurity practices. They also call for identifying any significant weaknesses, acting swiftly to mitigate risks, and ensuring there’s a plan to respond to and recover from any cyber breaches.
“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector, but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” the letter says. According to the EPA, numerous sources can provide guidance and best practices. These include the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the National Rural Water Association, the American Water Works Association, and the Water Information Sharing and Analysis Center. That list also includes the EPA.
“We’ve worked across government to implement significant cybersecurity standards in our nation’s critical infrastructure, including in the water sector, as we remain vigilant to the risks and costs of cyber threats.”
The Impact of Cyberattacks on Water Systems
Cyberattacks on critical infrastructure—including water companies—have rocketed in the last few years, with many apparently carried out by groups affiliated with hostile nation-states.
In one example, attackers linked to the Iranian Government Islamic Revolutionary Guard Corps carried out malicious cyberattacks against a number of critical infrastructure organizations, including drinking water systems. They were able to do this by targeting and disabling Unitronics Programmable Logic Controllers, a widely used piece of operational technology because the facility had failed to change a default manufacturer password.
In another example, a Chinese government-sponsored cyber group known as Volt Typhoon was able to compromise multiple critical infrastructure systems, including drinking water.
“The current attacks targeting water and wastewater systems should serve as a stark reminder that our critical infrastructure is made up of cyber-physical systems that can be targeted and exploited by hackers,” commented Debrup Ghosh, senior manager at the Synopsys Software Integrity Group.
“This drives home the point that organizations of all types, including public utilities, are essentially software companies—and as such, they need to take cybersecurity hygiene and software supply chain security seriously.”
Conclusion
Water is one of our most important resources, and wastewater management is a crucial process to ensure the water cycle remains free of contaminants. With numerous cyberattacks on US and ally countries’ water sources, state governments must work together to secure the digital systems that control our supply.
Hacker groups are well-organized and work together in efforts to compromise critical infrastructure. Mandiant’s report established relationships between Sandworm, a Russian military-affiliated hacker group, and other hacker cells like Cyber Army for Russia. They were also able to show that Sandworm appears to directly influence and control the actions of these groups. Alarmingly, these hackers broadcast their cyberattacks and publically claim responsibility for them, highlighting their brazen attacks that undermine US and French security.
But it’s not just Russia we have to worry about. China and Iran have also attempted similar attacks using the same tactics. In short, the American water supply is under attack, and unless swift, coordinated action is taken to prevent and prepare for serious incidents, we could see entire states dehydrated and flooded simultaneously.
While the departments responsible for cybersecurity in water services are in need of more funding, the EPA and NSA have outlined a number of organizations that provide best practices and could be of assistance in strengthening our infrastructure.
