by A group called Cyber Army of Russia Reborn posted a video on their Telegram channel January 18 showing that they carried out controls for water tanks at a water authority in Texas, it was recently reported. Specifically, they turned on water pumps by remotely changing water level indicators and caused a water tank to overflow in the small town of Muleshoe. The town of Abernathy also reported a water system hack, while the towns of Lockney and Hale Center said hackers tried to breach their water infrastructure but were unsuccessful.
This was the second group of cyber threats to affect US water authorities since November 2023, when CyberAv3ngers, a group exploiting vulnerable operating technology devices connected to the internet, launched global attacks on multiple water utilities, including a successful breach of systems in the small town. Aliquippa, Pennsylvania.
These attacks were very different from the hackers targeting government websites, much to the dismay of those trying to secure sensitive portals. Yes, the water system attacks were not technically sophisticated, but they took control of physical processes.
Cyber security experts and the US government agree that rival national governments, with whom these groups align, have long had their sights set on attacking critical infrastructure in the United States.
Cyber Army of Russia Reborn, as their name suggests, aligns themselves with Russia. And CyberAv3ngers have been linked by government agencies to Iran’s Islamic Revolutionary Guard Corps, which the United States designated as a foreign terrorist organization in 2019.
In February, the FBI confirmed that the China-backed threat group VOLTZITE, also known as Volt Typhoon, had infiltrated critical infrastructure in the United States and around the world in preparation for future attacks targeting not only on the water sector but on critical communication infrastructure, energy and transport systems going back to the beginning of 2023.
If this list of powerful hacking groups targeting small and vulnerable infrastructure gives you a Goliath vs. David vibe, you’re not alone. The growing number and severity of cyber-attacks supported by adversary nations targeting our critical infrastructure is of greatest concern to the public, industry and policy makers alike. Hackers have many motives: espionage and reconnaissance, deterrence by demonstrating their abilities, actual disruption of essential services and many others.
Unlike how David was prepared to take on Goliath, our most vulnerable infrastructure systems – including water infrastructure – are poorly prepared. In fact, as water facilities modernize, they will become even more vulnerable to attack.
Today’s landscape is filled with older – even obsolete – systems that are not digital and not connected to the internet. Rehabilitation and replacement of aging water infrastructure is a top priority for the water sector and lawmakers, which means they will become much more connected through internet-enabled devices, providing new access points attackers. They will also begin to share more of the same systems – meaning attackers can launch the same attack on multiple facilities rather than trying to tailor attacks for each facility.
But given that new technologies are the only option for replacing aging systems, as well as the operational and financial benefits of digital transformation, it is not realistic to go back in time and keep all water facilities completely disconnected or operated manually.
The water attacks we have seen so far have not had serious consequences for the people they serve. However, Cyber Army of Russia Reborn and CyberAv3ngers used non-sofa methods, such as exploiting default passwords, in their recent attacks.
Make no mistake: if a state-sponsored enemy – and many threat groups backed by Russia, China, North Korea and Iran – were to use more sophisticated tactics to disrupt water, the consequences could be tough.
The low level of cyber security at some water facilities not only allowed threat groups to gain access but also gave them the opportunity to learn about the systems, architectures and ways to control future attacks on the next facility with vulnerable systems. Because of the way these groups are investigating the operations and weaknesses of our systems, I expect to see future cyber attacks that actually disrupt water treatment processes, contaminate water quality or physically damage systems on a way that could harm people.
According to the EPA, 90% of the nation’s community water systems are small public systems that serve water to 10,000 or fewer customers. As both water industry representatives and lawmakers have suggested, they often lack sufficient budgets for new equipment and technology, or to maintain cybersecurity personnel or services. They are therefore facing a growing threat environment without the expertise and technologies to fully address cyber security risk, including threats to their operational technology, such as the industrial control systems that operate water pumping stations.
Government and industry must coordinate more closely than ever to protect critical infrastructure and services, including water. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI, the National Security Agency, the Environmental Protection Agency and other agencies regularly share vulnerability advisories and guidance with industry and other stakeholders.
But water is still at risk. Unlike other critical infrastructure sectors that have well-developed cyber security standards, such as our electricity systems which are consistently targeted and do not have structures in place to fund investments, the water sector is only beginning its cyber security journey. Many water utilities lack the financial and manpower to even prioritize and act on threat intelligence, let alone build defensible systems.
If we really want to help protect water utilities against cyber threats, we need to close the resource gap. Protecting your personal information in your water bill is important, but so is protecting your water. That means cyber security must protect operational technology and not just data systems. And the costs of investing in cyber security must be recoverable through local government budget setting processes.
We cannot make utilities choose between reliability and security. Our communities need both.
But funding doesn’t solve everything. Water utilities need faster and easier access to cybersecurity tools and resources. Recent grant programs, like the Department of Homeland Security’s State and Local Cybersecurity Grant Program, help, but hurdles remain in actually getting funding, including a long, arduous process to get federal money to take out utilities out. Vendors are also looking at how they can give back to the community they serve. Critical infrastructure is an ecosystem, and by supporting the sectors that need them most through tools and information sharing we are supporting all sectors and supporting national security.
As I said in my testimony before Congress in February, we all have the same goal: safe and accessible water for ourselves, our families and our communities. We know what to do. We just need to work together across industry and government to really make it happen. We cannot wait for the next attack on our vulnerable water infrastructure, whether another small town with minimal defenses is targeted or a more sophisticated attack is launched on the systems of major cities.
For more CNN news and newsletters create an account at CNN.com
