The Tug-of-War for Cyber Resilience to Guard Water Utilities

Once the stuff of espionage thrillers, cyberthreats are taking aim at real world, critical resources such as the attack on water systems used by towns in Texas, an attack linked to Russian hacker group Sandworm -- aka APT44.

Not the first time that Sandworm has struck, its exploits are tied to the CyberArmyofRussia_Reborn, a group that Google’s Mandiant cybersecurity firm says took credit this year “for the manipulation of human machine interfaces controlling operational technology assets at Polish and US water utilities.”

CyberArmyofRussia_Reborn also claimed credit for disrupting a French hydroelectric facility.

Whether by proxies or under alternate names, such advanced persistent threats (APT) continue to extend their reach seeking more than cash via ransomware schemes -- they are part of the geopolitical cyber cold war.

With such international threats in play, even local infrastructure can be at risk. Kevin Morley, manager of federal relations for the American Water Works Association, says though the attacks might target resources at a local level, the threat is of national concern. “The testimony that we’ve seen from Director Easterly and Director Wray, from CISA [Cybersecurity and Infrastructure Security Agency] and FBI respectively -- Wray’s testified here just in the last couple of weeks, talking about increased levels of activity from foreign adversary-affiliated entities targeting multiple critical infrastructure systems; it’s not just water systems that’s being targeted.”

Related:The Continuing Vulnerability of US Critical Infrastructure

From such testimony, Morley says, it is clear that capable bad actors are exercising their potential more frequently now. “Net-net, the biggest thing that continues to happen or occurring is ransomware,” he says, “just because it’s so easy to propagate.”

A Flood of Reasons to Bolster Cybersecurity

Chris Hughes, chief security advisor at open-source security company, Endor Labs, says cyberattacks on US infrastructure such as telecommunications and water treatment facilities may be embedded to exploit those systems over time. Even with heightened awareness, there is no easy fix.

“Part of the challenge here is largely critical infrastructure is privately owned and operated,” he says. Hughes is also a cyber innovation fellow at CISA, where he focuses on supply chain security. “It’s a bit challenging for the government to fully control the cybersecurity of that infrastructure since they don’t actually own it and operate it in a lot of cases.”

Another aspect of what makes cybersecurity for water systems a challenge can be the age and longevity of operational technology environments. “You’re talking systems that have life cycles in decades, not years, in terms of technology,” Hughes says. As is often the case, the need for constant stability in a legacy infrastructure system makes it harder to change and update. “This technology has been around for a long time,” he says. “In many cases, it’s very fragile. It has known vulnerabilities; it hasn’t been upgraded or changed due to disruptions that it could cause in the services that they provide.”

Related:To Catch a Cybercriminal -- and the Fallout That Follows

Persistent Challenge of Costs

Despite the importance of critical infrastructure, the matter of upgrading cybersecurity to meet new rules can come down to balancing costs -- which can be difficult for budget-strapped towns regardless of regulatory pressure. “We can’t push a local electric or water municipality provider out of business because people rely on that for their daily lives,” Hughes says.

Still, there can be some outcry to drive businesses to take action, whether it is through a public-private partnership or additional funding and resources. “It needs to happen because this is a real societal threat,” he says.

The financial constraints of cybersecurity, often an ongoing cost in the private sector, can be draconian for municipalities that need to protect water system and other critical infrastructure. “What we tend to see is these organizations that are broadly underinvested, especially when it comes to municipalities,” says Matt Warner, CTO and co-founder of Blumira.

When such attacks strike, he says, they tend to take advantage of remote access that gets exploited if the organization did not have the skillsets or time to properly and securely build remote access into these types of systems. “Or they’ve just never really been given the budget to solve the problem internally in the organization,” Warner says. “We’ve seen it for years.”

There can be legitimate reasons to manage water levels remotely, but then bad actors seize the opportunity to strike. “It’s not hard to find these types of things and then leverage found credentials to either get into it,” he says, “or they’re just not even protected as a whole, generally speaking.”

Unlike attacks motivated by geopolitical campaigns, ransomware attacks that exploit infrastructure might just be using the industrial side in order to get to the IT side to then deploy ransomware. “Usually there’s no ransoming old technology,” he says. “Usually, ransomware is not built to ransom 40-year-old water industrial technology, but it’s built to tap into the other areas.”

Water systems and other critical infrastructure can still be primary targets. Warner cites a cyberattack on a water system in Florida a few years ago that affected water levels and triggered a boil water advisory. That action set off the proverbial alarms and led to action, he says, but so far, water systems have yet to be weaponized by hackers directly against the populace. “We have been really lucky that no one has got into systems like this and decided to really manipulate them,” Warner says.

Beyond Ransomware Attacks

At a basic level, ransomware attacks can still be unsophisticated, Morley says, by flooding email inboxes with deceptive messages that include malicious links in the hope that eventually someone will take the bait. “You just need a couple of people to click on it and you get payday,” he says.

New reporting requirements proposed by CISA, under the Cyber Incident Reporting for Critical Infrastructure Act, are meant to provide a more structured approach to gather intelligence for a collective better understanding and threat picture, Morley says. The requirements mandate critical infrastructure entities, such as drinking water and wastewater systems, “to report significant cyber incidents within 72 hours and payment of ransomware within 24 hours,” he says.

The actions of APT44 are a little bit more malicious in nature than the usual ransomware threat, Morley says. “It’s not financially motivated.” While the group has yet to completely disable a target, he says they are flexing their potential capability to disrupt critical infrastructure systems. “Whether it be the ports, or electric grid, or water systems, or healthcare,” he says. “A lot of that is politically motivated.”

Other threat actors aside from Sandworm/APT44 have targeted water systems. For example, CISA put out word last December about an attack by CyberAv3ngers, a group affiliated with Iran’s military, targeted Unitronics Vision Series programmable logic controllers (PLCs), which are used by the water and wastewater systems industry including in the United States. “That essentially became a defacement function,” Morley says, citing the messages left in the systems by the hackers denouncing Israel, where Unitronics is based, and claiming any equipment made there would be targeted.

“The situation in Texas is a little bit different where they actually did move forward and actually manipulated operations and caused the tank to overflow,” Morley says. That did not actually disrupt continuity service, he says, but the hackers were able to overflow the water tank they targeted.

It May Take More Than a Village

Morley says his association has been consistent in its messaging to members and federal partners about the importance of cybersecurity. “In my conversations with utility leaders, cybersecurity say 10-15 years ago was important, but it wasn’t in the top 10 list,” he says. “Now it’s top of mind. It is the thing that a board would be frequently talking to their CIO about.”

While big water systems are likely to have a CIO, very small operations that are primarily municipal in nature might not have such personnel. The overall challenge of safeguarding water systems also includes the potential scale of end users who may be affected, Morley says, which can include school systems and residences. Hiring a CIO and purchasing more cybersecurity resources, despite the possible impact a hacked water system could have, might not be possible on the municipal budget.

The potential threat of bad actors targeting water systems more intensely means cyber resiliency has become top of mind. “I think there’s been a little bit of a shift in the discussion,” Morley says. “You’ve seen talk about this being a shared responsibility at the end of the day.” The operators of water systems may be able to put certain controls in place, but it is also incumbent on technology providers to offer and integrate security features into their services or products, he says.

Much like the resources carmakers and mechanics make available to service a car, technology providers could step up security features, Morley says. “The analogy I always use -- I own a car, doesn’t make me a mechanic, doesn’t make me capable of changing the brakes, but I know I got to do it right.”