The Iran-linked attacks against drinking and wastewater systems in the U.S. highlights longstanding concerns about under-resourced, local companies that depend on operational technology, including small utilities, manufacturers and healthcare organizations. 

A group backed by Iran’s Islamic Revolutionary Guard Corps is linked to a recent wave of attacks targeting multiple U.S. water facilities and other sites that use Unitronics Vision Series programmable logic controllers.  

Only a small number of water facilities have been targeted by the attacks thus far and there has been no direct impact on drinking water safety, federal officials said.

However the incident “is really a clarion call for every organization running operational technology to focus on solving critically important basic steps,” said Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, during a conference call with reporters on Monday. 

Those steps should include removing public facing assets from internet exposure, eliminating default passwords and implementing cybersecurity performance goals as previously outlined by CISA. 

“Local utilities are on high alert right now, and for good reason,” Chris Grove, director of cybersecurity strategy at Nozomi Networks, said in an email. “We’re in regular contact with many who are recognizing the fact that they’re a prime target for cyberattacks and looking to shore up their defenses.”

Fixing leaky security

CISA and other federal agencies have spent more than a year on working with small utilities, local community businesses and other under-resourced organizations that are increasingly vulnerable to attack from ransomware groups and nation-state actors.

The U.S. has about 150,000 public water systems and 16,000 publicly owned wastewater systems, however 97% of these facilities serve fewer than 10,000 customers, according to the Environmental Protection Agency. These facilities have small operational budgets, a small number of employees and limited access to onsite security staff or forensics experts.

A House hearing in May focused on the rising threat of attack to the energy, water and healthcare sectors.  Moody’s Investors Service also issued a warning about the threat of state-linked attacks against utilities and other critical infrastructure sectors. 

CISA in September launched a program with the EPA and two industry organizations to provide free security scanning for water utilities. But in October, the EPA had to rescind a rule that mandated security audits. 

Missouri, Arkansas and Iowa won the legal challenge against the prior audit mandates outlined by the EPA in March. Following that decision, the American Water Works Association and the National Rural Water Association praised the state legal challenge and called for a more collaborative approach between the government and industry. 

The EPA still provides additional tools like statewide tabletop exercises and is hosting a webinar on the Unitronics hacking threat on Wednesday. 

David Travers, director of the Water Infrastructure and Security Division at the EPA, said the agency has worked closely with CISA to dispel the notion that developing a program using effective cybersecurity practices are “expensive and hopelessly complex.”

“So for example, these recent incidents illustrate rudimentary cybersecurity measures like changing passwords can make a real difference,” Travers said during the Monday conference call. “And this is a practice which involves a simple, standard procedure at a utility with no cost.”