This week CBS reported that American Water Works, a supplier of drinking water and wastewater services to more than 14 million people, said hackers had breached its computer networks and systems, prompting it to pause billing to customers. The company did not believe its facilities or operations were impacted by the incident but was initially “unable to predict the full impact.” In an effort to protect its customers’ data and to prevent any further harm to the environment, the company disconnected or deactivated certain systems. (CBS News)
Such attacks are nothing new. In March of this year, we reported that Cyberattacks are hitting water and wastewater systems throughout the United States. At that time, EPA Administrator Michael Regan and national security adviser Jake Sullivan sent a letter to state governors, emphasizing that, “We need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices.” Regan and Sullivan said that, in many cases, “even basic cybersecurity precautions” are not in place at water facilities and “can mean the difference between business as usual and a disruptive cyberattack.”
Why and how do Cyberattacks on public infrastructure systems happen? And how can they be prevented?
According to Cybersecurity expert Ravi Das, Cyberattacks on critical infrastructure, such as public water systems, are nothing new. The good news is that understanding the risk and taking steps to safeguard such systems can go a long way toward protecting critical infrastructure systems against harmful or even catastrophic Cyberattacks. Here we present Ravi Das’s is expert perspective on this threat to public health and safety.
5 famous Cyberattacks on water systems and other critical infrastructure
In his 2022 article, “Five Famous Cyberattacks on Critical Infrastructure,” Ravi Das recounts previous attacks on public water, gas, oil, energy, and financial systems—including the 2013 attack on the Rye Brook Water Dam in New York. “Although the actual Infrastructure was small,” he explains, “the lasting repercussions from the attack were tremendous, primarily because it was one of the first instances in which a nation state actor was blamed; all fingers pointed towards Iran. The most surprising facet of this Cyberattack was that it occurred in 2013 but was not reported to law enforcement agencies until 2016. Even more striking is that the Malicious Threat Actors were able to gain access to the command center of these facilities by using an ordinary dial-up modem.” Read more about the Cyberattacks here.
Expert perspective: Why and how legacy IT systems put critical infrastructure at risk
Critical infrastructure is often at risk of Cyberattacks because they rely on outdated and ineffective technology systems. In his article, “The Security Challenges Posed to Industrial Control Systems,” Ravi Das explains that IT systems from the 70’s and 80’s still exist and put critical infrastructure at risk. He goes on to describe in detail the vulnerabilities of such legacy systems and the challenges of bringing them up to date. As daunting a task as modernizing such systems may be, doing so may very well protect critical infrastructure from catastrophic Cyberattacks.
Sources/References:
CNN
CBS
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.
Visit his website at mltechnologies.io