ScienceSoft

Default Passwords Jeopardize Water Infrastructure

Drinking water systems pose increasingly attractive targets as malicious hacker activity is on the rise globally, according to new warnings from security agencies around the world. According to experts, basic countermeasures—including changing default passwords and using multifactor authentication—can still provide substantial defense. However, in the United States alone, more than 50,000 community water systems also represent a landscape of potential vulnerabilities that have provided a hacker’s playground in recent months.

Last November, for instance, hackers linked to Iran’s Islamic Revolutionary Guard broke into a water system in the western Pennsylvania town of Aliquippa. In January, infiltrators linked to a Russian hacktivist group penetrated the water system of a Texas town near the New Mexico border. In neither case did the attacks cause any substantial damage to the systems.

Yet the larger threat is still very real, according to officials. “When we think about cybersecurity and cyber threats in the water sector, this is not a hypothetical,” a U.S. Environmental Protection Agency said at a press briefing last year. “This is happening right now.” Then, to add to the mix, last month at a public forum in Nashville, FBI director Christopher Wray noted that China’s shadowy Volt Typhoon network (a.k.a. “Vanguard Panda”) had broken into “critical telecommunications, energy, water, and other infrastructure sectors.”

“These attacks were not extremely sophisticated.” —Katherine DeEmidio Ledesma, Dragos

A 2021 review of cyber vulnerabilities in water systems, published in the journal Water, highlights the converging factors of increasingly AI-enhanced and internet-connected tools running more and bigger drinking water and wastewater systems.

“These recent cyberattacks in Pennsylvania and Texas highlight the growing frequency of cyber threats to water systems,” says study author Nilufer Tuptuk, a lecturer in security and crime science at University College London. “Over the years, this sense of urgency has increased, due to the introduction of new technologies such as IoT systems and expanded connectivity. These advancements bring their own set of vulnerabilities, and water systems are prime targets for skilled actors, including nation-states.”

According to Katherine DeEmidio Ledesma, head of public policy and government affairs at Washington, D.C.-based cybersecurity firm Dragos, both attacks bored into holes that should have been plugged in the first place. “I think the interesting point, and the first thing to consider here, is that these attacks were not extremely sophisticated,” she says. “They exploited things like default passwords and things like that to gain access.”

Low priority, low-hanging fruit

Peter Hazell is the cyber-physical security manager at Yorkshire Water in Bradford, England—and a co-author of the Water 2021 cyber vulnerability review in water systems. He says the U.S.’s power grid is relatively well-resourced and hardened against cyber attack, at least when compared to American water systems.

“The structure of the water industry in the U.S. differs significantly from that of Europe and the U.K., and is often criticized for insufficient investment in basic maintenance, let alone cybersecurity,” Hazell says. “In contrast, the U.S. power sector, following some notable blackouts, has recognized its critical importance … and established [the North American Electric Reliability Corporation] in response. There is no equivalent initiative for safeguarding the water sector in the U.S., mainly due to its fragmented nature—typically operated as multiple municipal concerns rather than the large interconnected regional model found elsewhere.”

DeEmidio Ledesma says that the problem of abundance is not the United States’ alone, however. “There are so many water utilities across the globe that it’s just a numbers game, I think,” she says. “With the digitalization comes increased risk from adversaries who may be looking to target the water sector through cyber means, because a water facility in Virginia may look very similar now to a water utility in California, to a water utility in Europe, to a water utility in Asia. So because they’re using the same components, they can be targeted through the same means.

“And so we do continue to see utilities in critical infrastructure and water facilities targeted by adversaries,” DeEmidio Ledesma adds. “Or at least we continue to hear from governments from the U.S., from other governments, that they are being targeted.”

A U.S. turnaround imminent?

Last month, Arkansas congressman Rick Crawford and California congressman John Duarte introduced the Water Risk and Resilience Organization (WRRO) Establishment Act to found a U.S. federal agency to monitor and guard against the above risks. According to Kevin Morley, manager of federal relations at the Washington, D.C.-based American Water Works Association, it’s a welcome sign of what could be some imminent relief, if the bill can make it into law.

“We developed a white paper recommending this type of approach in 2021,” Morley says. “I have testified to that effect several times, given our recognition that some level of standardization is necessary to provide a common understanding of expectations.”

“I think the best phrase to sum it up is target rich, resource poor.” —Katherine DeEmidio Ledesma, Dragos

Hazell, of Yorkshire Water, notes that even if the bill does become law, it may not be all its supporters might want. “While the development of the act is encouraging, it feels a little late and limited,” he says. By contrast, Hazell points to the U.K. and the E.U.’s Network and Information Security directives in 2016 and 2023, which coordinate cyber defenses across a range of a member country’s critical infrastructure. The patchwork quilt approach the U.S. appears to be going for, he notes, could still leave substantial holes.

“I think the best phrase to sum it up is target rich, resource poor,” says DeEmidio Ledesma, about the cybersecurity challenges municipal water systems today pose. “It’s a very distributed network of critical infrastructure. [There are] many, many small community water facilities, and [they’re] very vital to communities throughout the U.S. and internationally.”

In response to the emerging threats, in March Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technologies, issued a public call for U.S. states to report in on their plans for securing the cyber defenses of their water and wastewater systems by May 20. Contacted by IEEE Spectrum about the results and responses from Neuberger’s summons, a U.S. State Department spokesperson declined to comment.

​IEEE Spectrum  

Related Articles

Back to top button