Two recent cyberattacks on water systems highlight vulnerability of critical infrastructure

Employees monitor systems in the operating control room at the Roberto Gonzales Regional Water Treatment Plant on Jan. 26, 2023 in Eagle Pass, Texas.

Employees monitor systems in the operating control room at the Roberto Gonzales Regional Water Treatment Plant on Jan. 26, 2023 in Eagle Pass, Texas. Brandon Bell/Getty Images

 

Connecting state and local government leaders

Pro-Iran hackers allegedly hit a system near Pittsburgh, causing it to replace its Israeli-made equipment as a precaution. Meanwhile, another group hit a system in North Texas and caused operational issues.

Two recent hacks on water systems by cyber gangs that sympathize with foreign, hostile governments show the ongoing vulnerability of critical infrastructure.

The Municipal Water Authority of Aliquippa in Pennsylvania was attacked on the Friday night after Thanksgiving. The hackers breached the system that it uses to manage water pressure and left a message on the affected device that equipment made in Israel is “a legal target” given the country’s ongoing war with Hamas.

The utility’s General Manager Robert Bible said it turned off the impacted equipment and operated one of its water pump stations in manual mode. Bible said the authority, which has about 15,000 customers, would replace the affected equipment to be safe.

In recent weeks, there have been several other hacks on Israeli-made equipment in the U.S., prompting four federal agencies and the Israel National Cyber Directorate to issue a joint advisory warning of “malicious cyber activity” against certain devices by groups linked to Iran’s Revolutionary Guard Corps.

The joint advisory warned that several organizations across multiple states had been breached by Iranian-linked hackers, who call themselves the “Cyber Av3ngers” and have been targeting Israeli-made Unitronics computer products. In a bid to mitigate future attacks, the joint advisory recommended changing default passwords or disconnecting certain control systems from the internet in the immediate term, then strengthening security through multifactor authentication, backups, patches and other means.

Cybersecurity has been a sore spot for water systems for many years. Similar to other critical infrastructure, the sector is fragmented and underfunded, so it's less able to keep up with evolving threats. The Environmental Protection Agency had sought to bolster cyber rules but backed off the plan earlier this year.

Rep. Chris Deluzio of Pennsylvania joined Sens. Bob Casey and John Fetterman in a joint letter to U.S. Attorney General Merrick Garland calling for the Department of Justice to investigate the attack on the water authority.

“We know that nation-state adversaries are targeting the weakest link in America’s critical infrastructure,” the trio of federal lawmakers wrote. “We must ensure that our state and local governments, along with private companies, have cyber-defenses strong enough to fend off attacks from sophisticated actors.”

The Pennsylvania hack came just days after another municipal water system experienced a cybersecurity issue that impacted some of its business operations. The North Texas Municipal Water District, which serves more than 2 million people across 13 cities in the state, at first reported experiencing an interruption in its phone service earlier this month.

A spokesperson later told Recorded Future News that while the attack didn’t affect the district’s core water, wastewater and solid waste services, it did require the utility to restore its business network and phone system. The investigation is ongoing.

A cybercrime gang known as Daixin Team, which has already hit medical systems in the U.S., took responsibility for the attack. The group said it had stolen more than 33,000 pieces of data but did not specify what it had taken. The gang has previously claimed to have stolen people’s names, dates of birth, Social Security numbers and other personal identifiable information.

Observers say there are a few things utilities and other critical infrastructure providers can do to get their cybersecurity up to snuff. 

One such strategy is whole-of-state, which encourages better intergovernmental collaboration and information sharing. Michael Bimonte, chief technology officer for state, local and education at security firm Armis, said the approach will be “increasingly emphasized to address the problem.” The reason, he said, is because “every segment of local government is in a much stronger position to defend against acts of cyberwarfare.”

Observers worry that many utilities have been slow to adopt the best practices suggested in the joint advisory, such as changing default passwords or disconnecting certain control systems from the internet. In a May hearing before a House Energy and Commerce subcommittee, David Travers, director of the EPA’s Water Infrastructure and Cyber Resilience Division, said the lack of adoption of even simple cyber measures like multifactor authentication is the “most significant cyber risk in this sector.”

“Consequently, many water and wastewater systems remain highly susceptible to cyberattacks that could disrupt their operations,” he said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.