Cyberthreat Arises: US Water Systems in the Crosshair

Nestled in the heart of southern Vermont, a stone’s throw away from the renowned Okemo ski region, a water treatment facility experiences an unexpected flow of water. The responsibility of managing this crisis falls onto the shoulders of Chris Hughes, the delegated water and wastewater operator for Cavendish and Proctorsville. On this occasion, he surmises that a rogue lightning strike could be the prime culprit disrupting the treatment process. Other instances may involve an accumulation of iron in the water, a misplaced manhole lid, or a surge of so-called ‘flushable’ wipes, notorious for causing system blockages. Hughes has honed his skills to adeptly rectify these issues, but a more malignant threat looms on the horizon: cyberattacks aimed at creating chaos within the system.

This emerging, insidious threat has already begun manifesting itself throughout the nation. In a startling instance, Iranian cyber criminals successfully compromised a water treatment plant’s computer networks in Aliquippa, Pennsylvania, using their access to project anti-Israel propaganda in November 2023. By December of the same year, the Municipal Water Authority of Aliquippa fell victim to yet another breach, becoming one amongst several entities across the US that fell prey to an Iran-related cyber onslaught intentionally directed at an Israeli-manufactured industrial control device.

The subsequent month, January 2024, saw the unsettling occurrence of a water system overflow in the quaint rural town of Muleshoe, Texas, courtesy of a cyberattack later traced back to Russian hacktivists. Moreover, American officials have reported incidents of Chinese hackers embedding themselves deep within the country’s critical infrastructure, including water systems, possibly laying groundwork for future conflicts with the United States. These incidents serve as stark reminders of an expanding issue, a sentiment echoed by the U.S. Environmental Protection Agency (EPA) as it warns of rapidly escalating cyber threats against community water systems.

Recognizing the accelerating risks, Hughes, along with the communities he serves, has decided to participate in an innovative pilot program. This initiative connects those in charge of the US critical infrastructure with voluntary cybersecurity experts who possess the necessary skills for safeguarding such systems. They are staring at a complicated road map dotted with outdated systems and a paradoxical apprehension, that much-needed technological advancements might just open the door for further digital vulnerabilities.

The uphill task intensifies considering this is coinciding with an anticipated reduction in federal aid towards cybersecurity efforts. To counter this, Hughes has joined hands with a nascent venture formulated by several industry-leading figures in the field of cybersecurity. Named ‘Project Franklin’, this endeavor seeks to facilitate a vital exchange between US critical infrastructure operators and expert cybersecurity professionals.

Project Franklin is a refreshing entrant in the emerging trend of grassroots ventures aimed at finding answers to secure the expansive, intricate web that constitutes the national infrastructure. This includes not just water treatment plants, but also other essential services: hospitals, educational institutions, dams, and power grids. This commitment is a combined effort of corporations donating their precious time and cutting-edge technology, and nonprofit organizations providing much-needed expertise and support.

For various industries, the primary task entails enhancing their awareness of this rising digital menace, followed by implementing fundamental control measures to combat the most recurrent cyber threats. Subsequent steps would involve devising strategies capable of combating more advanced challenges, potentially on a grand scale.

The expectation is that volunteers, equipped with years of experience in government cybersecurity, intelligence agencies, or large corporations, will initiate meaningful dialogues with individuals managing the critical machinery that keeps American society functioning. This will instigate a progressive shift from mere theoretical understanding to pragmatic, actionable solutions.

Leading cybersecurity companies such as Cloudflare and Dragos are setting the tone for the future, stepping forward to donate advanced tools to Project Franklin. This significant contribution will play a key role in scaling resources, with the ultimate goal of effecting substantial security enhancements across the United States.

It would be shortsighted, however, to consider this issue as a uniquely American problem. On the contrary, these types of digital attacks seem to be increasingly occurring worldwide, which only augments the urgency to safeguard these indispensable systems. As adversaries continue refining their knowledge on manipulating these systems, it becomes all the more crucial to stay ahead of this menacing curve.