The security council said hackers affiliated with the Chinese military were aware of recent intrusions into American utilities, including water and power facilities in multiple states. According to reports, neither Iran-linked nor Chinese-linked attacks affected critical systems or caused disruptions.
“We are seeing companies and critical services face increasing cyber threats from malicious criminals and countries,” Anne Neuberger, deputy national security adviser for cyber and emerging technology, tells Fast Company. The White House had been urging infrastructure providers to upgrade their cyber defenses before these latest attacks, but says “clearly, based on the latest success of criminal cyber attacks, more work needs to be done.”
Since the beginning of the Israel-Hamas war, an Iranian hacking group known as CyberAv3ngers has been targeting US water utilities using Israeli-manufactured Unitronics programmable logic controllers (common multi-purpose industrial devices used to monitor and regulate water systems). “[Such infrastructure] is often forgotten, neglected, or both present an attractive target for nation states,” says Gary Perkins, chief information security officer at cybersecurity firm CISO Global.
The attacks targeted at least 11 different organizations across the United States that use Unitronics devices, including six local aquatic facilities, a pharmacy, an aquatics center, and a brewery. After taking control of the devices, the hackers replaced their screens with the message “You have been hacked, down with Israel.” Any equipment ‘made in Israel’ is a legitimate target for CyberAv3ngers.” Matthew Mottes, executive director of the hacked Pennsylvania-based Aliquippa Municipal Water Utility, told reporters that the water utility disabled the affected system after the attack and that local residents had no interruption in their water supply. He said there was no effect.
Federal officials say some of the compromised devices connected to the open internet with the default password of “1111,” making it easier for hackers to find them and gain access. Fixing this “doesn’t cost any money,” says Neuberger, “and these are the kind of basic things we really want companies to do immediately.”
But cybersecurity experts say these attacks point to a larger problem: the general weakness of the technology that powers the physical infrastructure. Much of the hardware was developed before the internet, and although they were equipped with digital features, they still “had inadequate security controls,” says Perkins.
Additionally, many infrastructure facilities prioritize “operational ease of use over security” because many vendors often need access to the same equipment, says Andy Thompson, an offensive cybersecurity expert at CyberArk. But it could also make it just as easy for attackers to exploit the systems: Freely available web tools allow anyone to create lists of public internet-connected hardware, such as the Unitronics devices used by water companies. “It should be standard practice not to make critical infrastructure easily accessible over the internet,” says Thompson.
But simply disabling water hardware, which security professionals call an “air gap,” isn’t enough, says Chris Clements, vice president of solutions consulting at CISO Global. Clements says he once helped respond to a cyberattack on a water utility that isolated its sensitive systems from the internet, but thus failed to update the systems with the latest security patches. “So when a third-shift worker brought in a USB flash drive with home-installed games (as well as a network worm) and decided to plug it into the air-gapped network, the systems were completely defenseless and each one was infected within seconds,” he says, “a process that would last several weeks.” An attack that requires “cleaning up”.
Thompson says he’s seen an “increase in the number of attacks” on critical infrastructure, which he thinks is “directly linked to geopolitical tensions and global conflicts.” However, the latest attacks were characterized less by their sophistication than by “the large number of attacks carried out, albeit by seemingly unskilled attackers” and “the relatively small amount of damage inflicted by the recent attacks.”
But some attacks came disturbingly close to doing much more damage. In July, federal prosecutors accused a man of using remote software to sabotage critical protections at a California water treatment plant where he previously worked, but the attack was detected and blocked. Iranian computer coworkers in 2020 Successful he said, according to Western intelligence reports.
Still, the White House is struggling to rally the water industry behind tougher cybersecurity measures. In March, the Environmental Protection Agency issued a memo requiring states to implement new cybersecurity measures on water systems, but the agency withdrew the memo in October after a judge ruled in favor of water industry groups and Republican states that had sued the EPA.
For now, Neuberger hopes that companies will see it in their interest to “lock the digital doors” of critical services organizations and that manufacturers like Unitronics will “please bring security to your technology products.” These attacks on water systems were “fairly simple attacks and some basic cybersecurity practices could have prevented it,” he says. “That was defensible.”