Protecting Water Treatment Facilities: Securing Operational Technology Against Cyberattacks
Water treatment facilities across the United States are facing a growing threat from cyberattacks, with recent incidents exposing vulnerabilities within the sector. The Arkansas City water treatment plant fell victim to a significant cyberattack in September 2024, forcing the facility to resort to manual operations, raising concerns about the security of Operational Technology (OT) within water utilities.
Cyble Research & Intelligence Labs (CRIL) has identified a surge in cyber threats targeting water utilities, with pro-Russian hacktivist groups like the People’s Cyber Army (PCA) orchestrating attacks on critical infrastructure, including water treatment facilities. These attacks have led to disruptions in water supply control systems, posing environmental hazards and public health risks.
A joint statement from the Cybersecurity and Infrastructure Security Agency (CISA) highlights the targeting of OT devices by hacktivists, particularly modular industrial control systems (ICS) with internet exposure. The PCA, with a sizable following on social media platforms, has evolved its tactics from DDoS attacks to hacking operational systems, causing operational disruptions and distress.
The vulnerabilities within water treatment facilities stem from outdated systems and lax security protocols, as many facilities rely on internet-exposed systems like Virtual Network Computing (VNC) and SCADAView CSX. This lack of security measures poses a significant risk, as cyberattacks can lead to erratic control of critical systems, environmental damage, and financial burdens on water utilities.
The consequences of cyberattacks on water utilities extend beyond operational disruptions, impacting public health, environmental ecosystems, and the safety of facility personnel. The increasing frequency and sophistication of these attacks underscore the critical need for comprehensive cybersecurity measures to protect these vital infrastructures and prevent catastrophic failures.