On September 22, 2024, the City of Arkansas, Kansas, water treatment facility experienced a cyber attack that forced the utility to switch to manual systems.
Located in Cowley County in the Midwestern state of Kansas, Arkansas is a small city with a population of about 12,000 people.
The Kansas water facility is the latest victim of cyber attacks targeting the U.S. critical infrastructure, including drinking water and wastewater systems (WWS).
Outdated technology and failure to comply with the cybersecurity regulations of the Safe Drinking Water Act (SDWA) Section 1433, of which 70% of WWSs have violated, make WWSs easy pickings for cybercriminals.
Meanwhile, the City of Arkansas has assured residents that the safety and supply of drinking water and customer service would not be impacted.
Kansas water treatment cyber attack involved ransomware
The Water Information Sharing and Analysis Center (WaterISAC) has suggested that the Kansas water treatment facility cyber attack involved ransomware. WaterISAC claims that an unspecified ransomware group was responsible for the cyber attack.
“Arkansas City has notified relevant authorities and is collaborating with cybersecurity experts to manage the incident, which is believed to be a ransomware attack,” the center said.
A local media outlet also reported that a ransom note appeared on one of the affected computers to initiate ransom negotiations.
However, the water treatment facility has availed limited information regarding the nature of the cyber attack, making it difficult to determine the amount of damage and whether the utility intends to pay the ransom.
Nevertheless, the Kansas city says the cyber attack did not disrupt water distribution services because the water treatment facility switched to manual systems to mitigate the impacts of the suspected ransomware cyber attack.
“Despite the incident, the water supply remains completely safe, and there has been no disruption to service,” said Arkansas City Manager Randy Frazer. “Out of caution, the Water Treatment Facility has switched to manual operations while the situation is being resolved.”
Additionally, the cyber attack did not compromise the safety or supply of drinking water, suggesting that the attack was either detected and mitigated on time or did not affect programmable logic controllers (PLCs).
“Residents can rest assured that their drinking water is safe, and the City is operating under full control during this period,” the center said.
Nevertheless, on September 22, the city warned in a now-deleted Facebook post that it experienced some pump problems, although it was not immediately clear if this cyber attack caused the issue.
A ransomware attack typically affects internal business and customer applications with little to no impact on the water treatment process.
While PLCs are rarely the top target of ransomware attacks, Internet-exposed operational technology is a low-hanging fruit for threat actors and could expose internal networks to more potent cyber attacks.
Poor network segmentation between IT and OT systems, various security vulnerabilities, and the lack of advanced security controls on the latter, could allow hackers to pivot to corporate networks.
“One common way water treatment facilities are targeted is by improperly exposing remote access to the internet,” said Shawn Waldman, CEO and Founder of Secure Cyber. “This is frequently seen in water and wastewater plants because it provides external companies with easy access to perform maintenance. Unfortunately, this access is often insecure, making the facility an easy target for external threat actors.”
“This lack of separation can allow an attack originating within the city’s network to infiltrate critical infrastructure, such as a water treatment plant,” Waldman added. “In some cases, there isn’t even a firewall in place to separate the administrative network from the control systems.”
Subsequently, hackers are increasingly targeting operational technology in disruptive cyber attacks against the US critical infrastructure. In 2023, an Iranian-linked threat group Cyber Av3ngers targeted Israeli-made Unitronics PLCs, which control water pressure, to compromise the Aliquippa Municipal Water Authority in Pennsylvania.
Meanwhile, Arkansas City’s cybersecurity teams and federal authorities, including the FBI and the Department of Homeland Security, are working together to resolve the issue and further investigate the incident. Additional security measures are also in place to ensure uninterrupted water supply and customer service.
“Enhanced security measures are currently in place to protect the water supply, and no changes to water quality or service are expected for residents,” the City said.
U.S. water systems under attack
Water systems are part of a nation’s critical infrastructure (CI) and thus among the top targets in cyber warfare.
“Here we go again – Another water treatment facility has been compromised,” sighed Waldman. “While Arkansas City has assured there is no immediate threat to the drinking water, it’s worth discussing how such critical infrastructure becomes vulnerable to cyberattacks.”
In February 2024, the FBI warned that Chinese state-sponsored hackers were preparing cyber attacks against US critical infrastructure. Volt Typhoon, a Chinese state-linked threat actor, has already compromised various critical infrastructure entities, including water systems.
WaterISAC has also warned that Russian hackers were targeting US water systems, an act of a wider geopolitical conflict that has pitted the two superpowers against each other.
“Unfortunately, we can expect more attacks like this in the future, particularly as the U.S. remains involved in global conflicts, such as those involving Russia and the Middle East,” Waldman continued. “Now is the time for water and wastewater operators to proactively evaluate their facilities”
Increased cyber attacks on WWSs have prompted the EPA to issue guidelines on enhancing the cybersecurity resiliency of wastewater systems. The White House also hints at a possible second attempt at imposing cybersecurity regulations for water system operators.
“Given the unique and largely unregulated nature of cybersecurity in the water industry, it is essential for utilities to proactively adopt best practices,” advised Itay Glick, VP of Products at OPSWAT.
