American Water breach highlights infrastructure vulnerabilities
American Water, a leading provider of water and wastewater services in the United States, recently experienced a cybersecurity incident involving unauthorised activity in its computer networks and systems.
The company disclosed the breach, which has brought renewed focus on the vulnerabilities faced by critical infrastructure, including water treatment facilities.
Tim Erlin, a Security Strategist at Wallarm, highlighted that critical infrastructure is increasingly reliant on digital transformations similar to other sectors. This includes the use of Application Programming Interfaces (APIs) and web applications. Erlin referenced past incidents, such as the 2021 cyberattack on a water treatment facility in Oldsmar, Florida, which underscored the potential impact of cybersecurity threats on water safety. More recently, a water treatment plant in Kansas had to revert to manual controls following a cyber incident.
Erlin pointed out that financial constraints in cybersecurity often leave water and wastewater treatment facilities vulnerable. Despite efforts from the Cybersecurity and Infrastructure Security Agency (CISA) in the US to enhance cybersecurity within this sector, progress remains gradual and reliant on available funding. As technology evolves, including new connectivity methods, critical infrastructure must contend with an ever-changing landscape of potential cyber threats.
Sean Deuby, Principal Technologist at Semperis, also commented on the American Water cyberattack, emphasising the context provided by recent advisories. The US Environmental Protection Agency (EPA) had issued guidance to water treatment operators regarding cybersecurity, and the Biden administration had informed governors about the mounting cyber threats against such facilities.
Although the identity of the perpetrators behind the American Water incident remains unknown, Deuby commended the utility company for its prompt and effective response to mitigate the damage. He noted the escalating threat landscape, particularly within identity systems, which are often compromised in cyberattacks.
Deuby stressed that there are no all-encompassing solutions to address cybersecurity challenges for both public and private entities. A significant percentage of cyberattacks hinge on breaches involving identity systems like Active Directory. This system has been identified as a frequent target for initial access, propagation, and privilege escalation. In response, the Five Eyes Alliance, which includes security agencies from the US, Canada, Australia, the UK, and New Zealand, released a report addressing common attacks on Active Directory and offering defensive guidance.
Given the pervasive nature of these threats, Deuby recommended prioritising the protection of mission-critical identity systems. Measures include constant threat monitoring, enhanced security audits, comprehensive employee security training, and stringent control of Active Directory environments.
This incident at American Water adds to the series of challenges faced by critical infrastructure in strengthening their defence against cyber risks. While systems are being updated and security measures are becoming more robust, incidents like these highlight the ongoing vulnerability present within sectors essential to public health and safety.