Skip to main content
close search
site logo

CISA again raises alarm on hacktivist threat to water utilities

The alert comes just days after an attack against a water treatment facility in Kansas.

Published Sept. 26, 2024
David Jones's headshot
Reporter
Anne Neuberger, deputy national security advisor for cyber and emerging technology, speaks at the White House.
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger speaks during the daily press briefing at the White House on February 17, 2021. The White House has been working with the EPA on plans to address ways to protect vulnerable water facilities from malicious attacks. Drew Angerer via Getty Images

The Cybersecurity and Infrastructure Security Agency on Wednesday said threat groups are still exploiting vulnerable devices in various industrial targets — including water utilities — that are practicing weak cyber hygiene. 

Exposed and vulnerable industrial control systems and operational technology environments can be hacked using unsophisticated methods, such as brute-force attacks and taking advantage of systems using default passwords, CISA said.  

The agency's alert echoes its warnings from earlier this year that Russia-affiliated hacktivists were targeting ICS/OT operators working in U.S. critical infrastructure facilities. The CISA guidance released in May detailed how hackers were using relatively simple techniques to attack smaller ICS and OT environments in the U.S. and Europe, including water, dams, energy, food and agriculture sectors.

CISA did not specify what specific incidents lead to the alert, but it comes just days after officials in Arkansas City, Kansas, disclosed an attack on a local water treatment facility. “Despite the incident, the water supply remains completely safe, and there has been no disruption to service,” City Manager Randy Frazer said in an announcement posted on the city website. 

The incident is under investigation by forensic specialists and government authorities.  

Water warnings

Over the past year, CISA and other federal authorities have kept up a steady cadence of warning about state-linked threat activity, beginning with attacks in 2023 against water and wastewater facilities from hackers linked to Iran's Islamic Revolutionary Guard Corps.

Authorities later issued extensive warnings about hackers linked to Russia and China targeting water and other critical infrastructure providers. Authorities said threat groups were taking advantage of poorly configured devices, particularly those that lacked multifactor authentication, relied on default passwords and were exposed to the internet and therefore visible to attackers. 

The Cyber Army of Russia Reborn has been among the most prolific of these hacktivist groups targeting the water sector, according to Keith Lunden, manager of the cyber physical team at Mandiant. The hacktivist group also has ties to APT44, a threat actor commonly known as Sandworm.

“We expect these attacks to continue for the foreseeable future given the lack of dedicated cybersecurity personnel for many small- and mid-sized organizations operating OT,” Lunden said via email. 

The Biden administration has prioritized cybersecurity in the water sector for the last couple of years amid a broader push to secure critical infrastructure. The Environmental Protection Agency launched a program for mandatory cyber audits of water utilities in March 2023, but lost a federal court fight after three states challenged the mandates.

The White House and EPA held a virtual conference with state officials in March seeking specific reports on how they planned to mitigate against cyber threats. 

The EPA in May warned it might seek enforcement actions against utilities after disclosing that 70% of water utilities were out of compliance under the Safe Water Drinking Act. Utilities, for example, were failing to cut off accounts for former workers or allowing multiple employees to share the same login. 

During the Billington Cybersecurity Summit in Washington earlier this month, Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said letters were sent to state governors seeking “prioritized vulnerability assessments” for water utilities from state officials and about 40 responses came back. 

“We’ll be getting a detailed assessment of what they’ve learned so that we can build a national plan to really work on improving rapidly the cybersecurity of water systems across the country,” Neuberger said during a panel. 

State officials have done their own work to boost resilience at local water utilities. In Michigan, the Department of Environment, Great Lakes and Energy is working with local utilities to provide free cybersecurity awareness training and added cybersecurity questions to permitting and surveys for water utilities. 

“We know that a one time shot of training is not sufficient for the new threats critical infrastructure is facing,” Jay Eickholt, emergency management coordinator for EGLE, said via email. 

EGLE is also investigating potential grant funding to help cash-strapped providers boost their resiliency, Eickholt said.

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell