On the 25th of September, CISA released a clear warning that critical infrastructure continues to be a prime target for cyber assaults. Weak systems in industrial sectors, such as water utilities, are continually being exploited due to inadequate cyber cleanliness practices. By utilizing basic techniques like brute-force attacks and taking advantage of default passwords, malicious actors have consistently succeeded in breaching operational technology (OT) and industrial control systems (ICS).
The impact of attacks on the industrial sector has been significant. As per the 2024 IBM Data Breach Cost report, the average total cost of a data breach in the industrial domain was $5.56 million — representing an 18% increase compared to 2023. This surge in data breach costs is the highest among all industries surveyed in the report, escalating by an average of $830,000 per breach from the previous year.
Persistent vulnerabilities pose a grave danger to public safety and national security, particularly as water systems and other crucial infrastructure providers are ill-equipped in the current threat environment. Let’s delve deeper into the present condition of critical infrastructure security, shedding light on recent incidents, initiatives to mitigate vulnerabilities, and the necessity for enhanced collaboration between government and private entities.
Incident at Arkansas City Water Treatment Facility
The cybersecurity breach at the Arkansas City Water Treatment Facility on the 22nd of September showcases the escalating risks. Despite assurance from city officials that the water supply remained safe and there was no disruption to services, the breach compelled the facility to switch to manual operations. The incident is presently under investigation, with local authorities and cybersecurity specialists collaborating to address the problem and prevent further incursions. However, the breach at Arkansas City is not an isolated case; it mirrors the broader trend of attacks on water systems.
CISA has issued several alerts highlighting the vulnerability of water and wastewater systems to cyber risks. Intruders frequently exploit outdated and unsecured OT and ICS environments, where systems are either exposed to the internet or still utilize default credentials. This allows cyber criminals to gain entry using relatively simple methods, raising concerns about the overall readiness of critical infrastructure operators.
CISA Alerts and Activities of Hacktivists
The alert issued by CISA in September is not the initial indication of the increased threat faced by water and other vital infrastructure providers. Earlier in 2024, the agency cautioned that Russia-linked hacktivists were actively targeting ICS and OT environments in U.S. critical infrastructure facilities. Water systems, dams, as well as energy and food sectors, were specifically vulnerable to these assaults.
The scenario worsened with the emergence of the Cyber Army of Russia Reborn, a hacktivist group associated with Advanced Persistent Threat 44 (APT44), commonly recognized as Sandworm. This group has been highly active in exploiting the weak cybersecurity defenses of smaller water systems lacking adequate cyber protections.
As per Keith Lunden of Mandiant, “We anticipate that these assaults will persist in the foreseeable future owing to the absence of specialized cybersecurity personnel in many small and medium-sized organizations operating OT.” Regrettably, hacktivist organizations have exploited these vulnerabilities with relative ease. Without swift intervention, these attacks are likely to persist.
Access the Threat Intelligence Index
The State and Local Cybersecurity Grant Program (SLCGP)
Amidst the escalating cyber threats, the U.S. Department of Homeland Security (DHS) has acknowledged the necessity for heightened support for state and local government cybersecurity. In the fiscal year 2024, DHS allocated $280 million in grant funds for the State and Local Cybersecurity Grant Program (SLCGP). This funding is aimed at aiding state, local, tribal, and territorial governments in bolstering their cyber resilience. A particular focus has been placed on safeguarding critical infrastructure systems like water utilities, energy grids, and emergency services.
These grants will help enhance monitoring systems, address vulnerabilities, and implement crucial cybersecurity measures such as multi-factor authentication and routine system audits. For instance, in states like Michigan, government bodies are already collaborating with local water utilities to deliver cybersecurity training and assistance. The funding from DHS could significantly broaden these initiatives, providing a much-needed uplift to the security stance of critical infrastructure providers.
The Cyberspace Solarium Commission
In 2019, the Cyberspace Solarium Commission (CSC) was established by the U.S. Congress to formulate a national cyber defense strategy. Presently, around 80% of its recommendations have been put into effect. Nonetheless, a final push is required to address critical gaps, particularly in terms of private-sector collaboration and insurance revisions.
One notable challenge is identifying the “minimum security obligations” for entities that are crucial to national security. This measure would ensure that essential infrastructure providers, like key transportation systems and water utilities, receive the necessary assistance to avert disastrous incidents.
The Commission also stressed the importance of devising an economic continuity plan for cyber occurrences. This plan is essentially an incident response and resilience strategy to shield the U.S. economy from a significant cyberattack. Moreover, the Commission underscored the need for enhanced information sharing among government agencies, private sectors, and international partners to safeguard critical infrastructure from evolving cyber perils.
During a recent discussion panel, Senator Angus King, co-chair of CSC 2.0, pointed out the challenges in cultivating trust between the government and private sectors. Private entities own and operate
the majority of the nation’s vital infrastructure, but historical frictions make cooperation difficult. King pointed out that the current scenario echoes early conflicts between state authorities and CISA. Nevertheless, the partnership between private sector and government is crucial to tackle the increasing risk to vital infrastructure.
The status of critical infrastructure cybersecurity
The cyber resilience of U.S. critical infrastructure remains a worry. As evidenced by incidents like the Arkansas City Water Treatment Facility breach and other attacks on internet service providers, malicious actors are increasingly targeting essential services. These assaults are not confined to smaller towns. Larger infrastructure providers like ISPs and managed security service providers have also been victims.
The FBI recently revealed that hackers linked to China compromised over 260,000 network devices, highlighting the magnitude of the issue. Concurrently, attacks linked to the Chinese government have aimed at ISPs and managed security service providers by exploiting vulnerabilities in Versa Networks’ SD-WAN software, showcasing the increasing complexity of these dangers.
While the U.S. government is actively enhancing critical infrastructure cybersecurity, the assaults on water treatment systems and other vital services plainly show that more action is necessary. The DHS grant initiative and the recommendations from the Cyberspace Solarium Commission signify crucial stages in this endeavor, but cooperation among government, private sector, and global allies will be crucial in developing a robust defense against evolving threats.
The security of critical infrastructure remains a pressing issue. Recent incidents should act as a wake-up signal for operators, policy makers, and the general public to take measures before a cyber incident occurs that impacts human life and well-being. Clearly, the threats are genuine — and a concerted effort is necessary for any meaningful response.