The top cybersecurity agency in the United States has released a new advisory, stating that nation-states and cybercriminals remain a threat to government-run water systems.
The Cybersecurity and Infrastructure Security Agency (CISA) issued the notification two days after Arkansas City, Kansas, reported a cybersecurity vulnerability that required it to switch to manual operations.
On Thursday, CISA stated that it will "respond to active exploitation of internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including those in the Water and Wastewater Systems (WWS) Sector.”
“Exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm.”
The cyber agency recommended operators to use previously released advice to secure systems. The attack on Arkansas City, which is home to approximately 11,000 people, began on Sunday morning. City Manager Randy Frazer declined to comment on whether the FBI and CISA were involved in the reaction to the attack, but stated that the water system remains completely safe and there has been no disruption in service.
Due to their significance, the more than 150,000 public water systems in the United States have been a focal point of dispute about the role of federal and state governments in cybersecurity protection.
Despite a significant increase in the frequency of ransomware assaults and nation-state intrusions, water industry associations teamed up with Republican senators last year to halt federal measures to protect drinking water infrastructure.
Even after a series of attacks on U.S. water facilities last autumn by hackers apparently linked to the Iranian government, groups such as the American Water Works Association have claimed that they should be entitled to create their own cybersecurity regulations for the industry.
Several cybersecurity specialists have reported an increase in assaults on industrial water systems, and they agree with CISA that one of the primary challenges is that numerous water systems continue to link industrial tools to the internet in order to remotely manage them.
Waterfall Security Solutions CEO Lior Frenkel told Recorded Future News that in his extensive work with water system operators, many either don't know what tools are connected to the internet or believe the risks outweigh the advantages.
“Systems that are connected to the internet can be shut down or manipulated or can impair the process that they are controlling,” Frenkel stated. “All of that should never be accessible from the internet unless there's such a need that you can say that need is stronger than the risk. But the default today is they are connected. We try to put them off the grid. The default should be everything is off the grid, and you connect only what's the bare necessity.”