A group called Russia’s Reborn Cyber Army posted a video on its Telegram channel on January 18 showing them manipulating the controls of water tanks at the Texas water authority. Specifically, they turned on water pumps by remotely changing water level indicators, causing a reservoir to overflow in the small town of Muleshoe. The town of Abernathy also reported its water system was hacked, and the towns of Lockney and Hale Center also said hackers attempted to breach their water infrastructure but were unsuccessful.
This is the second set of cyber threats to impact U.S. water officials since November 2023, when CyberAv3ngers, a group leveraging vulnerable operational technology devices connected to the internet, launched global attacks on multiple water utilities, including a successful breach of systems in the small town. From Aliquippa, Pennsylvania.
These attacks were quite different from hackers defacing government websites; This was worrying enough for those trying to secure sensitive portals. Yes, water system attacks were not technically simple, but they took control of physical processes.
Cybersecurity experts and the U.S. government agree that hostile national governments with which these groups are ideologically aligned have long set their sights on attacking critical infrastructure in the United States.
Russia’s Cyber Army Reborn, as the name suggests, associates themselves with Russia. CyberAv3ngers has been linked by government agencies to Iran’s Islamic Revolutionary Guard Corps, which the United States designated a foreign terrorist organization in 2019.
In February, the FBI confirmed that the Chinese-backed threat group VOLTZITE, also known as Volt Typhoon, had infiltrated critical infrastructures in the United States and around the world in preparation for future attacks targeting not only the water sector but also critical communications infrastructure, power and energy sectors. transportation systems go through to early 2023.
This list of powerful hacking groups targeting small and vulnerable infrastructure will give you Goliath vs. If you’re giving off David vibes, you’re not alone. The increasing number and intensity of cyber attacks sponsored by hostile countries targeting our critical infrastructure is of great concern to the public, industry and policy makers alike. Hackers’ goals are many: espionage and reconnaissance, deterrence by demonstrating their capabilities, virtual disruption of essential services, and more.
Unlike David prepared to take on Goliath, our most vulnerable critical infrastructure systems, including water infrastructure, are underprepared. In fact, as water utilities modernize, they will become more vulnerable to attack.
Today’s landscape is filled with older, even outdated systems that are not digital and not connected to the internet. Rehabilitating and replacing aging water infrastructure is a top priority for the water industry and lawmakers; This means they can establish many more connections through internet-enabled devices, providing attackers with new access points. They will also begin to share more of the same systems; This means adversaries can launch the same attack against multiple facilities, rather than having to customize attacks for each facility.
But given that new technologies are the only option to replace aging systems and the operational and financial benefits of digital transformation, it is unrealistic to go back in time and completely disconnect or manually operate all water utilities.
The water attacks we have seen so far have not resulted in serious consequences for the people they serve. However, both Cyber Army of Russia Reborn and CyberAv3ngers used unsophisticated methods such as using the default password in their recent attacks.
Make no mistake: If a state-sponsored adversary (and there are numerous threat groups backed by Russia, China, North Korea, and Iran) uses more sophisticated tactics to disrupt water, the consequences could be severe.
The low level of cybersecurity at some water utilities not only allows threat groups to gain access, but also gives them the opportunity to gain knowledge about systems, architectures, and ways to gain control for future attacks on the next facility with vulnerable systems. Given how these groups have discovered the operations and vulnerabilities of our systems, I predict that we will see future cyberattacks that actually disrupt water purification processes, impair water quality, or physically damage systems in ways that could harm humans.
According to the EPA, 90% of the nation’s community water systems are small, with public systems providing water to 10,000 or fewer customers. They often do not have adequate budgets for new equipment and technology or for cybersecurity personnel or services, as water industry representatives and lawmakers recommend. As a result, they face an increasing threat landscape without the expertise and technologies to fully address cybersecurity risks, including threats to their operational technologies such as the industrial control systems that run water pumping stations.
Government and industry must collaborate more closely than ever to protect critical infrastructure and services, including water. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI, the National Security Agency, the Environmental Protection Agency, and other agencies regularly share recommendations and guidance on vulnerabilities with industry and other stakeholders.
But water is still at risk. Unlike other critical infrastructure sectors with well-developed cybersecurity standards, such as our electrical systems, which are constantly targeted and lack structures to finance investments, the water sector is just beginning its cybersecurity journey. Many water utilities lack the financial and workforce capacity to prioritize and act on information about threats, let alone establish defensible systems.
If we really want to help water utilities defend against cyber threats, we have to close the resource gap. It’s important to protect your personal information on your water bill, but it’s also important to protect your real water. This means that cybersecurity must protect not only data systems but also operational technology. Cybersecurity investment costs must also be recoverable through local government budget-setting processes.
We can’t make utilities choose between reliability and security. Our society needs both.
But financing doesn’t solve everything. Water utilities need faster and easier access to cybersecurity tools and resources. Recent grant programs like the Department of Homeland Security’s State and Local Cybersecurity Grant Program are helping, but there are still barriers to receiving funding, including a long and burdensome process for federal money to reach utilities. Vendors are also exploring how they can contribute to the community they serve. Critical infrastructure is an ecosystem, and by supporting the sectors that need it most with tools and information sharing, we strengthen all sectors and support national security.
As I said in my testimony before Congress in February, we all have the same goal: safe, available water for ourselves, our families, and our communities. We know what needs to be done. To really do this we need to work together across industry and government. We look forward to the next attack on our vulnerable water infrastructure, the targeting of another small town with minimal defenses, or the launch of a more sophisticated attack on the systems of a major city.
For more CNN news and newsletters, create an account at CNN.com