CISA warns of continuing attacks on water systems after Kansas town reports incident

Government-run water systems are still at risk of attack by cybercriminals and nation-states, according to a new advisory from the U.S.’s top cybersecurity agency.

The notice from the Cybersecurity and Infrastructure Security Agency (CISA) came two days after Arkansas City, Kansas, reported a cybersecurity issue that forced it to switch to manual operations. 

On Thursday, CISA said it continues to “respond to active exploitation of internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including those in the Water and Wastewater Systems (WWS) Sector.” 

“Exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm,” CISA said.

The cyber agency urged operators to apply previously released recommendations to defend systems. 

The attack on Arkansas City — home to about 11,000 people — started on Sunday morning. City Manager Randy Frazer declined to answer questions about whether the FBI and CISA were involved in the response to the attack, but said the water supply “remains completely safe and there has been no disruption to service.”

"Out of caution, the Water Treatment Facility has switched to manual operations while the situation is being resolved. Residents can rest assured that their drinking water is safe, and the City is operating under full control during this period," he said on Monday. 

He said cybersecurity experts and government authorities are now working to resolve the situation. He did not respond to requests for an update on Wednesday. 

Due to their importance, the more than 150,000 public water systems in the U.S. have become a focal point of debate about what role federal and state governments have in protecting the public from a cybersecurity perspective. 

Water industry groups last year partnered with Republican lawmakers to stop federal efforts to protect water systems despite significant increases in the number of ransomware attacks and nation-state intrusions. 

Even after a string of attacks on U.S. water systems last Fall by hackers allegedly connected to the government of Iran, groups like the American Water Works Association have insisted that they should be able to write their own cybersecurity rules governing the sector. 

Several cybersecurity experts said they have seen an increase in attacks on industrial water systems and echoed CISA in explaining that one of the key issues is the fact that many water systems continue to connect industrial tools to the internet as a way to remotely manage them.

Waterfall Security Solutions CEO Lior Frenkel told Recorded Future News that in his extensive work with water system operators, many either don’t know what tools are connected to the internet or believe the risks outweigh the dangers. 

“Systems that are connected to the internet can be shut down or manipulated or can impair the process that they are controlling,” he said. 

“All of that should never be accessible from the internet unless there's such a need that you can say that need is stronger than the risk. But the default today is they are connected. We try to put them off the grid. The default should be everything is off the grid, and you connect only what's the bare necessity.”