Providers of critical infrastructure in the United States are doing a sloppy job of defending against cyber intrusions, the National Security Council tells Fast Company, pointing to recent Iran-linked attacks on U.S. water utilities that exploited basic security lapses.
The security council tells Fast Company it’s also aware of recent intrusions by hackers linked to China’s military at American infrastructure entities that include water and energy utilities in multiple states. Neither the Iran-linked or China-linked attacks affected critical systems or caused disruptions, according to reports.
“We’re seeing companies and critical services facing increased cyber threats from malicious criminals and countries,” Anne Neuberger, the deputy national security advisor for cyber and emerging tech, tells Fast Company. The White House had been urging infrastructure providers to upgrade their cyber defenses before these recent hacks, but “clearly, by the most recent success of the criminal cyberattacks, more work needs to be done,” she says.
Since the start of the Israel-Hamas war, an Iranian hacking group known as CyberAv3ngers has been targeting U.S. water utilities that use Israel-manufactured Unitronics programmable logic controllers—common multipurpose industrial devices used for monitoring and regulating water systems. “[Such infrastructure] is often forgotten about, neglected, or both and presents an attractive target for nation-states,” says Gary Perkins, chief information security officer at cybersecurity firm CISO Global.
The attacks hit at least 11 different entities using Unitronics devices across the United States, which included six local water facilities, a pharmacy, an aquatics center, and a brewery. After taking control of the devices, hackers replaced their screens with the message “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.” Matthew Mottes, the board chairman at the Pennsylvania-based Municipal Water Authority of Aliquippa, which was hacked, told reporters that the water authority disabled the affected system after the attack, and there was no impact to the water supply for local residents.
Some of the compromised devices had been connected to the open internet with a default password of “1111,” federal authorities say, making it easy for hackers to find them and gain access. Fixing that “doesn’t cost any money,” Neuberger says, “and those are the kinds of basic things that we really want companies urgently to do.”
But cybersecurity experts say these attacks point to a larger issue: the general vulnerability of the technology that powers physical infrastructure. Much of the hardware was developed before the internet and, though they were retrofitted with digital capabilities, still “have insufficient security controls,” says Perkins.
Additionally, many infrastructure facilities prioritize “operational ease of use rather than security,” since many vendors often need to access the same equipment, says Andy Thompson, an offensive cybersecurity expert at CyberArk. But that can make the systems equally easy for attackers to exploit: freely available web tools allow anyone to generate lists of hardware connected to the public internet, like the Unitronics devices used by water companies. “Not making critical infrastructure easily accessible via the internet should be standard practice,” Thompson says.
But just taking water hardware offline—what security professionals call “air-gapping”—isn’t enough, says Chris Clements, the vice president of solutions consulting at CISO Global. Clements says he once helped respond to a cyberattack on a water facility that had isolated its sensitive systems from the internet, but because of that, had failed to update the systems with the latest security patches. “So when an employee on the third shift decided to bring in a USB thumb drive with home-loaded games (as well as a network worm) and plugged it into the air-gapped network, the systems were completely defenseless, and every single one was infected within seconds,” he says—an attack that required a “multi-week-long cleanup.”
Thompson says he’s seen an “uptick in the number of attacks” on critical infrastructure, which he views as “directly connected to geopolitical tensions and global conflicts.” But the most recent attacks have been characterized less by their sophistication than by “the sheer volume of attacks being deployed, albeit by seemingly unskilled attackers,” and “the damage inflicted by recent attacks has been relatively minimal.”
Yet some attacks have come disturbingly close to doing far more harm. In July, federal prosecutors charged a man for using remote software to sabotage critical protections at a California water treatment plant where he previously worked, though the attack was detected and thwarted. In 2020, Iranian hackers tried to raise the levels of chemicals like chlorine in Israel’s water supply, and were “close to successful,” according to Western intelligence reports.
Still, the White House has struggled to rally the water sector behind tougher cybersecurity measures. In March, the Environmental Protection Agency released a memo requiring states to implement new cybersecurity measures at water systems, but the agency withdrew the memo in October after a judge ruled in favor of water industry groups and Republican states that sued the EPA, arguing that the measures would be too costly and that the agency didn’t have the authority to issue them.
For now, Neuberger hopes that companies critical utilities will see it in their own interest to “lock their digital doors,” and that manufacturers like Unitronics will “please, build security into your tech products.” These intrusions into water systems were “pretty basic attacks, and some basic cybersecurity practices would’ve prevented it,” she says. “This was defensible.”