ACID Technologies provides water utility companies with 24/7/365 dark web monitoring services, while also continuously monitoring multiple additional sources. When detecting a threat, ACID sends real-time, actionable alerts with all available information, to enable the targeted company to effectively respond to the threat and mitigate its harmful impact on the company’s operation, whether service disruption, data theft or other.

What makes water utility companies attractive targets to cybercriminals?

Cybercriminals, and also cyberterrorists, consider all critical infrastructure, water supply infrastructure included, as targets worthy of special attention, as they are essential to the functioning of society. Disruptions to the supply of water impact all citizens, as water is vital to life itself.

In September 2024, shortly after a cyberattack on a water treatment facility, the US Cybersecurity and Infrastructure Security Agency (CISA) stated that water systems were still at risk of attack by cybercriminals and nation-states.

What are some of the vulnerabilities of water utility companies, which facilitate the success of cyber attackers?

Relating to the attack in September 2024 on a water treatment facility in Kansas, USA, CISA referred to vulnerabilities when informing that it continues to “respond to active exploitation of internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including those in the Water and Wastewater Systems (WWS) Sector.” It further added that “exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm.”

What are some of the recent cyber attacks targeting the water utilities industry?

• In September 2024, the City of Arkansas in Kansas, USA reported that its water treatment facility had sustained a cyber attack. In view of the importance of uninterrupted water supply and the potential implications on future cyber attack attempts against this industry in larger cities, representatives of the Federal Bureau of Investigation (FBI) and the U.S. Department of Homeland Security were sent to investigate the incident. The city issued a statement to reassure its approximately 11,000 citizens: “Out of caution, the Water Treatment Facility has switched to manual operations while the situation is being resolved. Residents can rest assured that their drinking water is safe, and the city is operating under full control during this period.” It also added it is implementing enhanced security measures, and that the attack did not compromise private data.
• Only several weeks later, in early October 2024, America’s largest regulated water and wastewater utility company, American Water, was also the target of a cyber attack. Based in New Jersey, the company manages more than 500 water and wastewater systems in 14 states: California, Georgia, Hawaii, Illinois, Indiana, Iowa, Kentucky, Maryland, Missouri, New Jersey, Pennsylvania, Tennessee, Virginia and West Virginia, and also in 18 military installations. In total, it provides services to a population of 14 million. Once the attack was detected, the company swiftly shut down some of its systems. Although American Water did not reveal the type of attack perpetrated against it, it is believed to have been a ransomware attack.
• Among the other cyber attacks that took place in 2024, are also those targeting multiple water and wastewater plants in Texas, USA, in January 2024. The hackers posted videos online in which they could be seen interacting with SCADA (supervisory control and data acquisition) systems, adjusting controls and settings at will. Once detected, operations were switched to manual control. In most of these attacks this was done before material damage was incurred.

These and other attacks in 2024 join previous attacks in late 2023, including one on a water utility in Pennsylvania in late November 2023. The politically motivated attack perpetrated by pro-Iran hackers involved gaining access to industrial equipment used to manage water pressure, forcing a switch to manual operation of a pumping station.

Have the US authorities commented on these cyber attacks on water utilities?

Even before CISA’s statement that water systems were still at risk of attack by cybercriminals and nation-states, the US government voiced its concern in May 2024, ranking threats to critical infrastructure in the country as severe.

The concern arises also because cybersecurity in the water industry, which includes more than 150,000 public water systems in the USA, is unregulated; therefore, it is up to the various companies to implement best practices to protect themselves.