A group called Cyber Army of Russia Reborn posted a video on their Telegram channel on January 18 showing that they had manipulated controls for water tanks at a water authority in Texas, it was recently reported. Specifically, they turned on water pumps by remotely changing water level indicators and caused a water tank in the small town of Muleshoe to overflow. The city of Abernathy also reported a hack on its water system, and the cities of Lockney and Hale Center said hackers tried to breach their water infrastructure but were unable to do so.
This was the second cyber threat group to impact U.S. water authorities since November 2023, when CyberAv3ngers, a group that has exploited vulnerable internet-connected operational technology devices, launched global attacks on multiple water utilities, including a successful breach of systems in the small town of Aliquippa , Pennsylvania.
These attacks were very different from hackers damaging government websites, which is worrying enough for those trying to secure sensitive portals. Yes, the attacks on the water system were technically unsophisticated, but they took control of physical processes.
Cybersecurity experts and the U.S. government agree that hostile national governments, with whom these groups are ideologically aligned, have long had their sights set on attacking critical infrastructure in the United States.
Cyber Army of Russia Reborn, as their name indicates, associates themselves with Russia. And CyberAv3ngers has been linked by government agencies to Iran’s Islamic Revolutionary Guard Corps, which the U.S. designated as a foreign terrorist organization in 2019.
In February, the FBI confirmed that the Chinese-backed threat group VOLTZITE, also known as Volt Typhoon, had infiltrated critical infrastructure in the US and around the world in preparation for future attacks targeting not only the water sector, but also critical communications infrastructure, power and energy infrastructure. transportation systems dating back to early 2023.
If this list of powerful hacking groups targeting small and vulnerable infrastructure gives you a Goliath vs. David feeling, you are not alone. The increasing number and intensity of cyber attacks, backed by hostile countries targeting our critical infrastructure, are of great concern to the public, industry and policymakers alike. The hackers’ motives are numerous: espionage and reconnaissance, deterrence by demonstrating their capabilities, actual disruption of essential services, and more.
Contrary to how David was ready to take on Goliath, our most vulnerable critical infrastructure systems – including water infrastructure – are ill-prepared. As water supplies become more modern, they will become even more vulnerable to attack.
Today’s landscape is littered with older – even outdated – systems that are not digital and not connected to the internet. Repairing and replacing aging water infrastructure is a top priority for the water industry and lawmakers, meaning they will become massively more connected through internet-enabled devices, providing attackers with new entry points. They will also share more of the same systems – meaning adversaries can launch the same attack on multiple facilities instead of having to tailor attacks for each facility.
But given that new technologies are the only option to replace outdated systems, plus the operational and financial benefits of digital transformation, it is unrealistic to go back in time and keep all water supplies completely shut off or operate them manually.
The water attacks we have seen so far have not had serious consequences for the people they serve. However, both Cyber Army of Russia Reborn and CyberAv3ngers used unsophisticated methods in their recent attacks, such as abusing a default password.
Let there be no mistake: If a state-sponsored adversary – and there are many threat groups backed by Russia, China, North Korea and Iran – were to use more sophisticated tactics to disrupt water supplies, the consequences could be serious.
The low level of cybersecurity at some water facilities not only gave threat groups access, but also gave them the opportunity to learn about the systems, architectures and ways to gain control for future attacks on the next facility with vulnerable systems. Given the way these groups have investigated the operations and weaknesses of our systems, I expect we will see future cyberattacks that do indeed disrupt water treatment processes, degrade water quality, or cause physical damage to systems in ways that could harm people.
According to the EPA, 90% of the nation’s community water systems are small, public systems that deliver water to 10,000 or fewer customers. As water industry representatives and lawmakers have pointed out, they often lack adequate budgets for new equipment and technology, or to retain cybersecurity personnel or services. They therefore face the escalating threat environment without the expertise and technologies to fully address cybersecurity risks, including threats to their operational technology, such as the industrial control systems that operate water pumping stations.
Government and industry must work closer than ever to protect critical infrastructure and services, including water. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI, the National Security Agency, the Environmental Protection Agency, and other agencies routinely share vulnerability advisories and guidance with industry and other stakeholders.
Yet the water is still in danger. Unlike other critical infrastructure sectors that have well-developed cybersecurity standards, such as our electrical systems that are consistently targeted and lack structures to finance investments, the water sector is only beginning its cybersecurity journey. Many water utilities lack the financial and human resources to even prioritize and take action based on threat information, let alone build defensible systems.
If we really want to help water utilities defend themselves against cyber threats, we need to close the resource gap. Protecting your personal information on your water bill is important, but so is protecting your actual water. This means that cybersecurity must protect operational technology, not just data systems. And the costs of cybersecurity investments must be recoverable through local government budget processes.
We cannot make utilities choose between reliability and safety. Our communities need both.
But financing doesn’t solve everything. Water utilities need faster and easier access to cybersecurity tools and resources. Recent grant programs are helping, such as the Department of Homeland Security’s State and Local Cybersecurity Grant Program, but there are still hurdles to actually obtaining funding, including a long and arduous process of getting federal money to utilities. Vendors are also looking at how they can give back to the community they serve. Critical infrastructure is an ecosystem, and by supporting the sectors that need it most through tools and information sharing, we strengthen all sectors and support national security.
As I said in my testimony before Congress in February, we all share the same goal: safe and available water for ourselves, our families and our communities. We know what needs to be done. We just have to work together within industry and government to actually do it. We can’t wait for the next attack on our vulnerable water infrastructure, whether from another small town with minimal defenses, or a more sophisticated attack on a major city’s systems.
For more CNN news and newsletters, create an account at CNN.com