January 10, 2025 By Jonathan Reed 4 min read

On September 25, CISA issued a stark reminder that critical infrastructure remains a primary target for cyberattacks. Vulnerable systems in industrial sectors, including water utilities, continue to be exploited due to poor cyber hygiene practices. Using unsophisticated methods like brute-force attacks and leveraging default passwords, threat actors have repeatedly managed to compromise operational technology (OT) and industrial control systems (ICS).

Attacks on the industrial sector have been particularly costly. The 2024 IBM Cost of a Data Breach report found the average total cost of a data breach in the industrial sector was $5.56 million — an 18% increase for the industry compared to 2023. This represents the highest data breach cost increase of all industries surveyed in the report, rising by an average of $830,000 per breach over last year.

Ongoing vulnerabilities pose a serious threat to public safety and national security, especially as water systems and other critical infrastructure providers remain underprepared in the current threat landscape. Let’s take a closer look at the current state of critical infrastructure security, highlighting recent incidents, efforts to address vulnerabilities and the need for further collaboration between the government and private sectors.

Arkansas City Water Treatment Facility attacked

The cybersecurity incident at the Arkansas City Water Treatment Facility on September 22 exemplifies the growing risks. While city officials emphasized that the water supply remained safe and no disruption to service occurred, the breach still forced the facility to switch to manual operations. The incident is currently under investigation, with local authorities and cybersecurity experts collaborating to resolve the issue and prevent further attacks. But the Arkansas City breach is not an isolated incident; it mirrors a larger trend of attacks on water systems.

CISA has issued multiple warnings regarding the susceptibility of water and wastewater systems to cyber threats. Intruders often exploit outdated and unsecured OT and ICS environments, where systems are exposed to the internet or still using default credentials. This means cyber criminals can gain access using relatively simple techniques, which raises concerns about the overall preparedness of critical infrastructure operators.

CISA warnings and hacktivist activity

CISA’s September alert is not the first indication of the heightened threat to water and other critical infrastructure providers. Earlier in 2024, the agency warned that Russia-affiliated hacktivists were actively targeting ICS and OT environments in U.S. critical infrastructure facilities. Water systems, dams and sectors, such as energy and food, were particularly vulnerable to these attacks.

The situation worsened with the rise of the Cyber Army of Russia Reborn, a hacktivist group tied to Advanced Persistent Threat 44 (APT44), commonly known as Sandworm. The group has been quite busy exploiting weak cybersecurity postures of smaller water systems that lack adequate cyber defense resources.

According to Keith Lunden of Mandiant, “We expect these attacks to continue for the foreseeable future given the lack of dedicated cybersecurity personnel for many small- and mid-sized organizations operating OT.” Unfortunately, hacktivist groups have exploited these gaps with relative ease. And without rapid intervention, these attacks will likely continue.

Read the Threat Intelligence Index

The State and Local Cybersecurity Grant Program (SLCGP)

Amidst the growing cyber threats, the U.S. Department of Homeland Security (DHS) has recognized the need for more support for state and local government cybersecurity. In fiscal year 2024, DHS announced the allocation of $280 million in grant funding for the State and Local Cybersecurity Grant Program (SLCGP). This funding aims to assist state, local, tribal and territorial governments in enhancing their cyber resilience. A special emphasis has been placed on protecting critical infrastructure systems like water utilities, energy grids and emergency services.

These grants will help organizations improve monitoring systems, patch vulnerabilities and implement critical cybersecurity measures such as multi-factor authentication and regular system audits. In states like Michigan, for example, government agencies are already working with local water utilities to provide cybersecurity training and support. The DHS funding could greatly expand these efforts, offering a much-needed boost to the security posture of critical infrastructure providers.

The Cyberspace Solarium Commission

In 2019, the Cyberspace Solarium Commission (CSC) was established by the U.S. Congress to develop a national cyber defense strategy. Currently, approximately 80% of its recommendations have been implemented. However, a final push is needed to address critical gaps, particularly regarding private-sector collaboration and insurance reforms.

One major challenge is identifying the “minimum security burdens” for systemically important entities critical to national security. This would ensure that high-priority infrastructure providers, such as key transportation systems and water utilities, receive the necessary support to prevent catastrophic events.

The CSC also highlighted the need to develop an economic continuity plan for cyber events. This would be nothing less than an incident response and resilience plan to protect the U.S. economy in the face of a major cyberattack. The commission also emphasized the need for better information sharing between government agencies, private industries and international partners to protect critical infrastructure from evolving cyber threats.

During a recent panel discussion, Senator Angus King, co-chair of CSC 2.0, pointed to the difficulties of building trust between the government and private sectors. Private entities own and operate the majority of the nation’s critical infrastructure, but historical tensions make collaboration challenging. King noted that the situation mirrors early tensions that existed between state officials and CISA. Nonetheless, the collaboration between private industry and government is essential to address the growing threat to critical infrastructure.

The state of critical infrastructure cybersecurity

The cybersecurity posture of U.S. critical infrastructure remains a concern. As seen in attacks like the Arkansas City Water Treatment Facility and other incidents targeting internet service providers, threat actors are increasingly focusing on essential services. These attacks are not limited to small municipalities. Larger-scale infrastructure providers, including ISPs and managed service providers, have also been targets.

The FBI recently disclosed that China-linked hackers compromised more than 260,000 network devices, underscoring the scale of the problem. Meanwhile, attacks attributed to the Chinese government have targeted ISPs and managed service providers through vulnerabilities in Versa Networks’ SD-WAN software, demonstrating the growing sophistication of these threats.

While the U.S. government is actively working to improve critical infrastructure cybersecurity, the attacks on water treatment systems and other essential services clearly reveal that more needs to be done. The DHS grant program and the recommendations of the Cyberspace Solarium Commission represent critical steps in this effort, but collaboration between government, private industry and international partners will be key to building a resilient defense against evolving threats.

The safety of critical infrastructure remains a pressing concern. Recent events should serve as a wake-up call for operators, policymakers and the public to take action before a cyberattack occurs that impacts human life and health. Undoubtedly, the threats are real — and any meaningful response requires a concerted effort.

More from Risk Management

Cybersecurity trends: IBM’s predictions for 2025

4 min read - Cybersecurity concerns in 2024 can be summed up in two letters: AI (or five letters if you narrow it down to gen AI). Organizations are still in the early stages of understanding the risks and rewards of this technology. For all the good it can do to improve data protection, keep up with compliance regulations and enable faster threat detection, threat actors are also using AI to accelerate their social engineering attacks and sabotage AI models with malware.AI might have…

The 5 most impactful cybersecurity guidelines (and 3 that fell flat)

4 min read - The best cybersecurity guidelines have made a huge difference in protecting data from theft and compromise, both in the United States and around the world.These guidelines are comprehensive sets of recommended practices, procedures and principles designed to help organizations and individual people safeguard their digital assets, systems and data from malicious attacks. They can cover a wide range of practices and exist in part to collect and share best practices and strategies based on industry standards and expert knowledge. Crucially,…

CISA’s cyber incident reporting portal: Progress and future plans

3 min read - On August 29, 2024, CISA announced the launch of a new cyber-incident Reporting Portal, part of the new CISA Services Portal.“The Incident Reporting Portal enables entities and individuals reporting cyber incidents to create unique accounts, save reports and return to submit later, and eliminate the repetitive nature of inputting routine information such as contact information,” says Lauren Boas Hayes, Senior Advisor for Technology & Innovation, at CISA.Shortly after the announcement, Security Intelligence reported on how the portal was designed and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today