The city of Wichita, Kansas, recently faced a cyberattack on its water system, a troubling but increasingly common occurrence. This particular breach targeted water metering, billing, and payment processing systems, reflecting a broader trend of attacks on water utilities across the United States. According to Ryan Witt, vice president of cybersecurity at Proofpoint, these attacks exploit human vulnerabilities through “old school” methods like phishing, social engineering, or using default passwords, rather than sophisticated AI-driven techniques.
The surge in cybercrime against critical infrastructure has prompted the Environmental Protection Agency (EPA) to issue an enforcement alert. The EPA found that 70% of the water systems it inspected did not fully comply with the cybersecurity requirements of the Safe Drinking Water Act. The agency highlighted alarming vulnerabilities, such as unchanged default passwords, single-login setups, and former employees retaining access to systems.
Witt pointed to an attack last year by an Iranian-backed activist group on 12 U.S. water utilities as a stark reminder of the deliberate and targeted nature of these threats. The utilities targeted in that attack all used Israeli-made equipment, suggesting a strategic choice by the attackers.
Concerns over cybersecurity are shared by major federal agencies. In February, the FBI warned Congress about deep intrusions by Chinese hackers into the U.S. cyber infrastructure, targeting water treatment plants, the electrical grid, transportation systems, and other critical sectors. In January, a Russian-linked hack caused a water tank to overflow at a water filtration plant in Muleshoe, Texas, near a U.S. Air Force base. Adam Isles, head of cybersecurity practice for the Chertoff Group, told CNBC that water systems are among the least mature in terms of security.
The psychological impact of such attacks is significant, as demonstrated by the Colonial Pipeline hack in 2021, which caused widespread panic and fuel shortages along the eastern seaboard. A similar psychological effect could arise from attacks on water utilities, even if they don’t directly disrupt water supply. According to Stuart Madnick, an MIT professor of engineering systems, the real concern lies in the potential for attacks on operational technology (OT) that controls water plants. Such attacks could shut down water systems for weeks, posing a massive risk.
EPA Administrator Michael Regan and national security advisor Jake Sullivan recently sent a letter to the nation’s governors, emphasizing the urgency of this threat. However, Madnick expressed skepticism about the government’s ability to act swiftly or effectively, citing budget constraints, outdated infrastructure, and a reluctance to address such a daunting issue. He warned that significant preventive measures might only be taken after a major incident occurs.
Water utilities rely on technology for monitoring, operations, and customer communication, which creates vulnerabilities. An EPA spokesman noted that cyberattacks could allow attackers to control system operations, damage infrastructure, disrupt water flow, or alter chemical levels, potentially leading to the discharge of untreated wastewater or contamination of drinking water.
Witt suggested several initial steps to improve cybersecurity for outdated systems, including enhancing password strength, reducing exposure to public-facing internet, and implementing cybersecurity awareness training. Another measure is deploying air-gapped systems to separate supervisory and control systems from other networks. This would prevent system administrators from accessing both office systems and control panels from the same device.
The EPA emphasized that many attacks could have been prevented through basic cyber resiliency practices. It warned that all drinking water and wastewater systems, regardless of size or location, are at risk. Although AI has not been a significant factor in these attacks so far, the EPA spokesman cautioned that advances in artificial intelligence are providing cyberthreat actors with more sophisticated tools. These actors, including those working on behalf of other nations, could exploit disruptions in U.S. critical infrastructure to their strategic advantage.
To safeguard America’s water infrastructure, it is imperative to address these vulnerabilities promptly and robustly, adopting enhanced security measures and staying vigilant against evolving threats