In the category of "we're too small for something like this to happen to us," Arkansas City, Kansas, experienced a cybersecurity incident on September 22, 2024, affecting its water treatment facility. The incident prompted a shift to manual operations.
Local authorities were quickly notified, and cybersecurity experts are currently working to restore automated systems. The incident did not result in any disruptions to water services for the city's population of around 12,000 residents.
In a press release, City Manager Randy Frazer said, "Despite the incident, the water supply remains completely safe, and there has been no disruption to service. Out of caution, the Water Treatment Facility has switched to manual operations while the situation is being resolved. Residents can rest assured that their drinking water is safe, and the City is operating under full control during this period."
The city's response involved a swift collaboration with cybersecurity professionals and emergency protocols to ensure continued water safety while safeguarding against further attacks. Investigations into the breach are ongoing.
Water treatment facilities, sewage treatment plants, and other critical infrastructure have experienced or thwarted several attacks in recent years. In the fall of 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded to an active cyberattack on a water facility in western Pennsylvania, shedding light on the exploitation of Unitronics programmable logic controllers (PLCs) within the Water and Wastewater Systems (WWS) sector.
Sarah Jones, Cyber Threat Intelligence Research Analyst at Critical Start, discussed the Arkansas City incident and the cyber risks to water treatment facilities and other critical infrastructure in general, saying:
"The recent cyberattack on the Arkansas City water treatment facility underscores the growing threat posed to critical infrastructure by ransomware and other cyberattacks. While the specific details of this particular attack are still emerging, it is clear that water treatment facilities, along with other OT-dependent industries, remain prime targets for cybercriminals.
The history of cyberattacks on water treatment facilities is marked by a mix of deliberate attacks and false alarms, highlighting the need for vigilance and preparedness. The Arkansas City incident serves as a stark reminder of the potential consequences of such attacks, which can range from service disruptions to public health risks.
Ransomware attacks on ICS organizations have been on the rise in recent years, as evidenced by the 50% increase in incidents reported by Dragos in 2023. The prevalence of ransomware-as-a-service (RaaS) models has made it easier for cybercriminals to launch and execute these attacks.
When OT systems are compromised by ransomware, organizations can face significant disruptions, including production losses, safety incidents, and financial losses. The Westrock incident in 2021, which resulted in estimated losses of up to $250 million, demonstrates the severe consequences of such attacks.
To mitigate the risks associated with ransomware attacks, organizations must prioritize cybersecurity measures. This includes implementing robust network security, educating employees on cybersecurity best practices, developing incident response plans, and maintaining regular backups. Additionally, organizations should consider establishing a defensible cyber position to enable more in-depth threat containment and ensure operational continuity during an attack.
The increased interest in OT systems by cybercriminals can be attributed to several factors, including the critical nature of these systems, the growing connectivity between OT and IT environments, and the potential for significant impact. Adequate funding for state infrastructure is essential to support robust cybersecurity defenses and ensure the resilience of critical systems."
The increasing digitization of critical infrastructure has made water treatment facilities a prime target for cyberattacks. While the number of publicly reported incidents may be limited, here are a few:
In early 2021, two ransomware attacks targeted rural communities in Maine, specifically the sewage treatment facilities of two towns.
In spring 2021, the United States House and Senate passed a bill that requires critical infrastructure owners and operators to report cyber incidents to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovering the incident.
In the spring of this year, the U.S. Department of Homeland Security (DHS) was set to implement long-awaited rules that will require critical infrastructure entities across multiple sectors to report cyber incidents and ransomware payments to the federal government.
In April, in a comprehensive National Security Memorandum (NSM), President Joe Biden outlined his administration's strategy for strengthening the security and resilience of United States critical infrastructure against threats like cyberattacks, natural disasters, and climate change.
All critical infrastructure is at risk.
"We've seen a 220% increase in railway-associated cyberattacks over the last five years," Col. Cedric Leighton, CNN Military Analyst; USAF (Ret.); Chairman, Cedric Leighton Associates, LLC, said in an August 20, 2024 SecureWorld News post. "In fact, over a 10-year period, we've seen cyber incidents impacting railway systems in countries as diverse as Belgium, France, Poland, the Czech Republic, Germany, Denmark, Italy, Belarus, Ukraine, India, and the United States. So, this is clearly a worldwide problem."