Kansas Water Facility Cyberattack Prompts Federal Investigation
The City of Arkansas City, Kansas, reported a cybersecurity incident at its water treatment plant early Sunday, September 24, 2024. The incident has prompted a federal investigation by the Federal Bureau of Investigation (FBI) and the U.S. Department of Homeland Security. This incident, which has been labeled a Kansas Water Facility Cyberattack, serves as a stark reminder of the vulnerabilities of critical infrastructure to cyberattacks.
While the city has assured residents that the water supply remains safe and there has been no disruption in service, the incident underscores the evolving cybersecurity challenges facing critical infrastructure, particularly in the water and wastewater sectors.
Details of the Kansas Water Facility Cyberattack
The cyberattack targeted the Arkansas City water treatment plant’s control systems, potentially disrupting operations. As a precautionary measure, the facility switched to manual operations while the situation was being resolved.
“Out of caution, the Water Treatment Facility has switched to manual operations while the situation is being resolved,” Randy Fraser, City Manager, said in a news release. “Residents can rest assured that their drinking water is safe, and the city is operating under full control during this period.”
Shana Adkisson, Arkansas City communications director, reassured residents that the affected systems did not contain customer information, so private data is not at risk.
“Everything’s been running smoothly on the outside world; it’s just on the inside world. We have a little issue, but we’re just trying to figure it out,” She said.
Expert Analysis: The Importance of Robust Cybersecurity
Itay Glick, vice president of products at OPSWAT, highlighted the significance of the incident:
“The recent cyber incident at Arkansas City’s water treatment facility highlights the evolving cybersecurity challenges facing critical infrastructure, particularly in the water and wastewater sectors. Fortunately, there was no disruption to the water supply, and sensitive information remained secure. However, similar attacks could easily result in more severe consequences. This event reinforces the need for heightened vigilance and continuous improvements in cybersecurity across this sector.”
Glick emphasized the importance of robust cybersecurity defenses and criticized the reliance on manual backups as a long-term solution.
“While manual processes are invaluable in emergencies, they are not intended as long-term solutions,” he stated. “Automated systems are designed to ensure smooth operations, and relying on manual backups over time can lead to inefficiencies or other unforeseen security issues. This emphasizes the importance of strong cybersecurity defenses that reduce the need for such measures in the first place.”
Vulnerabilities and Mitigation Strategies: Common Targets for Cyberattacks
Shawn Waldman, CEO and Founder of Secure Cyber, identified several common vulnerabilities that make water treatment facilities targets for cyberattacks:
Remote Access: A Gateway for Attackers
Water treatment facilities often expose remote access to the internet to allow external companies to perform maintenance. This access is frequently insecure, making the facility an easy target for external threat actors.
Poor Network Segmentation: A Lack of Separation
A lack of separation between the city’s administrative network and the treatment facility’s operational network can allow an attack originating within the city’s network to infiltrate critical infrastructure. In some cases, there isn’t even a firewall in place to separate the administrative network from the control systems.
Inadequate Protection of HMIs:
A Critical Point of Control Machine Interface (HMI) systems, which allow engineers to control water flow, open and close valves, and manage chemical outputs, are highly sensitive. A breach here could lead to dangerous changes in the water supply. Modern security measures, like Endpoint Detection and Response (EDR) systems, are crucial to protect HMIs.
Recommendations for Utilities: Proactive Measures for Enhanced Security
To mitigate the risk of such attacks, Glick and Waldman recommend that utilities proactively adopt best practices, including:
- Securing Communication Channels: Secure communication channels like email and USB devices are essential to prevent unauthorized access and malware infections.
- Network Segmentation: Employing network segmentation to prevent threats from spreading into operational technology (OT) environments is critical.
- Endpoint Protection: Implementing strong endpoint protection measures is essential to safeguard sensitive systems.
- Scanning Transient Devices: Utilities should evaluate solutions that can scan transient devices and maintain secure air-gaps between critical networks to prevent unauthorized access.
- Evaluating Cybersecurity Posture: Water and wastewater operators should proactively evaluate their facilities’ cybersecurity and address vulnerabilities before they become gateways for cybercriminals.
Previous Incidents: A Pattern of Cyberattacks on Critical Infrastructure
This is not the first time cyber adversaries have targeted the nation’s water treatment facilities. In April 2024, hackers attempted to breach a wastewater treatment plant in Indiana, prompting plant managers to dispatch maintenance personnel to investigate the suspicious activity.
In February 2021, unidentified cyber attackers gained access twice in a single day to a panel that controls the water treatment plant at the Oldsmar water treatment plant in Tampa, Florida. The initial intrusion was detected by a plant operator, who noticed that someone had remotely accessed the computer system, which controls the chemicals and other operations of the water treatment plant.
However, in 2023, an official at the Oldsmar water treatment facility stated that the 2021 remote access cybersecurity breach was not a hack at all. The incident has now been described as a case of an employee inadvertently clicking on the incorrect buttons before notifying his supervisors of his blunder.
Conclusion: A Growing Threat to Critical Infrastructure
The Kansas Water Facility Cyberattack on the Arkansas City water treatment plant serves as a stark reminder of the growing threat to critical infrastructure. The incident highlights the need for utilities to prioritize cybersecurity and adopt robust measures to protect their systems from malicious actors. As cyberattacks on critical infrastructure become increasingly sophisticated, it is essential for organizations to proactively identify and address vulnerabilities to ensure the safety and security of our nation’s essential services.